W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2013

Re: security model of Web Components, etc. - joint work with WebAppSec?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 15 Mar 2013 16:54:18 +0000
Message-ID: <CADnb78ggSnW+21NCDvn0EzJ63gUdcUQYMDPtGNn-fDbM3czA5A@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: public-webapps <public-webapps@w3.org>
On Fri, Mar 15, 2013 at 4:37 PM, Hill, Brad <bhill@paypal-inc.com> wrote:
> As I mentioned in my introductory message, I am specifically interested in the security model of components loaded cross-origin - do they get complete control of the application / DOM into which they are loaded?  Does an application have any ability to restrict or explicitly pass capabilities to a cross-origin component?

What's currently specified at
https://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/components/index.html
means that the page including the components gets full access to do
something with them. It's basically nothing more than exposing the
document response what you can do with XMLHttpRequest.

It does seem problematic if we start building automatic component
creation on top of that as that basically gives you <script> all over
again.


-- 
http://annevankesteren.nl/
Received on Friday, 15 March 2013 16:54:46 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:58 GMT