[webappsec] FW: security model of Web Components, etc. - joint work with WebAppSec? from Hill, Brad on 2013-03-18 (public-webappsec@w3.org from March 2013)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Mon, 18 Mar 2013 19:53:43 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E27969D26@DEN-EXDDA-S12.corp.ebay.com>

By the way - it came to my attention that there was a small misconfiguration at my end that may have caused many of you to not see this message I sent to the list on March 8.  If this is a topic of interest, the discussion is beginning over on public-webapps.

-Brad Hill

From: Hill, Brad [mailto:bhill@paypal-inc.com]
Sent: Friday, March 08, 2013 4:56 PM
To: public-webappsec@w3.org; WebApps WG (public-webapps@w3.org)
Subject: security model of Web Components, etc. - joint work with WebAppSec?

WebApps WG,

  I have been following with interest (though with less time to give it the attention I wish) the emergence of Web Components and related specifications. (HTML Templates, Shadow DOM, etc.)

 I  wonder if it would be a good time to start discussing the security model jointly with the WebAppSec WG, both on list, and possibly at the upcoming F2F in April?

  One of our goals in WebAppSec is that a mashup web of re-usable and composable pieces be possible to do securely. An example anti-pattern in this area is the widely deployed <script src="someothersite.com/canOwnYou.js"> pattern for things like analytics, social widgets and social login.  This pattern makes the Web more brittle, such as the "Facebook broke the Internet" bug recently when a script error in Facebook Connect redirected a huge chunk of the Web to a Facebook error page.   We security folks that work in both the web apps and PKI areas stay awake at night worrying about bad guys getting a certificate for Google Analytics or Omniture and XSS-ing 90% of the Web.

  I don't see much in these specs or via a quick search of the list archives on the security models for the new Web Component and Shadow DOM type integration models when they involve foreign components.  There is some level of isolation implied, but I hope there is interest in defining what, if any, the security guarantees of such are and how we might make this kind of composition more pleasant and useful than a sandboxed iframe, but still robust against errors or attacks such that popular components don't become single points of failure for the entire Web.

Thanks,

Brad Hill
Co-Chair, WebAppSec

Received on Monday, 18 March 2013 19:54:12 UTC