[widgets] Draft Minutes from 18 May 2009 Widgets Security VC

The draft minutes from the May 18 Widgets Security voice conference  
are available at the following and copied below:

      <http://www.w3.org/2009/05/18-wam-minutes.html>

WG Members - if you have any comments, corrections, etc., please send
them to the public-webapps mail list before 21 May 2009 (the next
Widgets voice conference); otherwise these minutes will be considered
Approved.

-Regards, Art Barstow

    [1]W3C

       [1] http://www.w3.org/

                                - DRAFT -

                    Widgets Security Model Voice Conf

18 May 2009

    [2]Agenda

       [2] http://lists.w3.org/Archives/Public/public-webapps/ 
2009AprJun/0535.html

    See also: [3]IRC log

       [3] http://www.w3.org/2009/05/18-wam-irc

Attendees

    Present
           Art, Arve, Marcos, Thomas

    Regrets
    Chair
           Art

    Scribe
           Robin

Contents

      * [4]Topics
      * [5]Summary of Action Items
      _________________________________________________________



    <ArtB> Date: 18 May 2009

    <ArtB> ScribeNick: ArtB

    <tlr> +1 to Art not scribing

    <scribe> Scribe: Robin

    <scribe> ScribeNick: darobin

    AB: agenda a bit vague, but has pointers to previous discussions
    ... we don't have consensus yet, we need it for LC
    ... this is the last piece that we need to get nailed down, we're
    under time pressure to get this out for people to start implementing
    ... ideally at the end of this meeting we will have consensus about
    what it is we need to do to get LC out this week

    MC: the first thing we need consensus on is whether we want the
    HTML5 model
    ... if we are going to use the HTML5 model we need some kind of
    opt-in or it should be on by default

    TLR: It think there is a more nuanced question to ask: which part of
    that model we need
    ... it governs access to cookies, frames, network (XHR and inline),
    and storage + other APIs

    MC: right

    TLR: I think the discussion is largely around network access,
    possibly storage
    ... haven't seen much discussion about the others, but they will
    materialise once access is given
    ... the quesiton is largely around network access

    Arve: I don't think it's possible to separate network access as a
    boolean from the general model and how you compute origin

    TLR: why?

    Arve: because in terms of context for an extended permission model
    which we have already allowed in existing implementations, you run
    into the case where resolving a URI in itself and trying to request
    it is alreay a source of information leakage

    TLR: what I was saying was that as far as communication and access
    within the WRT the only thing I see on the table is the html5
    security model
    ... I think that Opera has a separate model to grant access to URI,
    but I haven't heard you saying that you are deviating from the HTML5
    security model

    Arve: the background is that Opera's implementation used to treat
    inlines as they did in HTML4
    ... however that's not an acceptable model when allowing access to a
    phone's address book
    ... because you have potential information leakage

    TLR: that is a fundamental point for the DAP WG's charter
    ... the quesiton is what is the scope of the question
    ... can we solve this and reach decision without solving the DAP
    WG's problem

    Arve: what I'm saying is that you can't make a decisin on one
    without making a decision on both
    ... security is intertwined with the Device API
    ... I think we should be gathering requirements and use cases, and
    figure out where we can go

    TLR: do you think it is possible for P+C to enter LC with a minimal
    security model that another WG can build on within the timeframe of
    a few weeks

    Arve: if you do that I think you'll end up with conforming but not
    interoperable

    TLR: so is Opera saying that P+C shouldn't enter LC before DAP has
    concluded?

    Arve: no, I think this is hard to answer
    ... I don't think we can ship widgets without a security model

    TLR: I agree on your meta-meta point that it would have been nice to
    do this earlier, but it hasn't happened
    ... but is there a minimal piece of model that a) needs to be
    specified, and b) can be specified without solving DAP, and c) can
    be done in a very short time?

    Arve: I don't think it's possible
    ... it can be done in a short time, but I don't think we can skim
    ... if the P+C has syntax that doesn't match the security, it is
    meaningless

    MC, TLR: agree

    MC: the specs are broken apart for editorial, not technical reasons
    ... we could say as we do for window modes, these are the correct
    WMs
    ... we could have an origin attribute with html5, any, etc and given
    that have enough to go on

    TLR: you want to specify an origin where the value of that
    element/attribute would not be bound by anything to the widget — I
    think that would be a disaster

    MC: why?

    TLR: because if the framework is the html5 model, then any network
    resource is accessible
    ... I woulndn't go there
    ... we're talking mechanism when we should be talking goals

    RB: I thought we had some rough path towards consensus using the
    strictest access as default, some syntax to switch to html5, and a
    way of using strict+the access mechanism
    ... based on our IRC discussion

    AB: if we don't do anything, will OMTP define its own?

    RB: yes

    AB: and they'll leave it as an implementation model?

    RB: the original OMTP model was that everything was closed, and the
    access element could be used to open it

    TLR: is it a workable compromise to close everything and use access
    to open all network? (inline+xhr)
    ... my goal is to a) not hold up things, and b) not devise something
    ad hoc that will come back to haunt this WG and DAP
    ... we don't want to constrain DAP with a hack
    ... this WG should not try to solve the entire device API problem
    ... but I hear Arve say that the HTML5 model is too flawed, and if
    that's the case then I don't know how to move this forward

    Arve: you are making one assumption too many
    ... the html5 model is completely adequate in a few set of cases
    ... we have two completely different security contexts here

    <arve> I'll type here

    <arve> 1. Let's say you have a web UA that has "Save as Widget" for
    web pages

    <arve> for instance on GMail

    Arve: in this use case we have a web page converted into a widget

    <tlr> why would that use the P&C framework?

    Arve: or running widgets on the web, like Google gadgets, that sort
    of thing
    ... those are fine inside the HTML5 security model
    ... and we need to offer them that option
    ... case 2 is when you have third-party information available to the
    widget (ie device APIs) or limited cross-origin access
    ... e.g. scraping Google while tlaking to your Yahoo account
    ... or talking to your Yellow Pages and matching against the phone
    book on your device
    ... there, the HTML5 security model is too thin, information can be
    leaked

    TLR: you are making one assumption too many about what I said
    ... I thikn that the HTML5 model should be used for some things (eg
    inter-frame comm), but cut down on anything that accesses the
    network
    ... for any network access, restrict the HTML5 model further

    Arve: I think I agree with this
    ... I think we agree on the end result

    <tlr> 1. no origin inside the package

    <tlr> 2. random origin generated at instantiation time

    Arve: I think we need a model that striclty enforces which networks
    can be reached

    <tlr> 3. use HTML5 mode, *but* cut down on network access, unless
    <access> is used to grant network resoruces access

    Arve: this is circles all the way down
    ... any network access within any resources, in addition to the
    html5 checks is also subject to what the widget says it can access

    TLR: specifically about iframes?

    Arve: no, everything

    TLR: proposal (for use case 2) get a zip archive, it includes a
    widget, that widget wants an iframe, in order to get it it needs to
    access the network
    ... (or img, or script)
    ... there MUST be an access element that allows that
    ... then, the communication between the various DOM, and the rest,
    is governed by the HTML5 security model
    ... so to *get* an iframe from a.com, the widget needs an <access>
    element to let it do that, but then the rest is subject to html5

    Arve: if you have recursive inclusion, what rules govern that?

    TLR: html5
    ... if I've granted access to a.com, if they collaborate with
    evil.com, then there's nothing I can do anyway

    Arve: my point is that an origin on the web might be an origin you
    trust
    ... so I might trust a widget to access my domain
    ... but if my domain has a security hole that has an XSS issue that
    includes an injection from a third-party
    ... then if <access> prevent third-domain access, I will be
    protected against that

    TLR: I think that that approach is a very likely recipe for disaster
    — because of complexity
    ... my assymption is that if I'm in an iframe that comes from the
    web, it will not have access to device APIs

    <arve> 1. Inject script into widget main document

    TLR: I'm also assuming that an iframe inside a widget, whatever
    access that iframe has follows the traditional sandboxing
    ... so it gets to the web, not to the APIs

    <arve> 2. Read content without legitimate access

    <arve> 3. Use hole in widget to inject content (specifically
    scripts) into example.com/someurl

    <arve> 4. Let injected content point to evil.com/someotherurl

    TLR: all of that will get a lot more complex when we expose device
    APIs to the web proper — I share the concerns but right now can we
    try to constrain the model to make clear when the code can do stuff
    on web and reuse the html5 model

    Arve: you're making an assymption about implementer complexity
    ... look at the script inhection above
    ... that content is injected into your trusted resource
    ... this is not far-fetched — and it circumvents the access policy
    that you describe
    ... that

    bah

    Arve: that's why I think that inner resources should not have access
    to the DA, and that they should all have the same network
    restrictions

    TLR: what I'm disputing is that we're creating a separate execution
    context for web content
    ... and I think we shouldn't be prepared to go there, it's out of
    scope and not the simplest option
    ... the complexity I'm worrying about is not implementers'
    complexity but adding YA secuirty model
    ... want to keep it as simple as possible

    Arve: this doesn't imply increased complexity in the system, only
    the runtime has to check that access rules are permitted

    TLR: our contention is about the access that an external web app
    gets through the network when running inside an iframe inside the
    widget
    ... the increased complexity is likely not written specfiically for
    the widget execution context
    ... and we're changing the way that web app expects to be run

    Arve: if an application doesn't expect to be run in a widget, it's
    not going to request to run DAs
    ... my proposal is that a) access to APIs with stricter checks, and
    b) the html5 context without such access
    ... enforcing access only one level down is not going to be
    acceptable to operators

    <arve> Two models: 1) No extended access, computed http origin,
    running without extended access, or awareness of sensitive apis

    <arve> 2) Extended access, subject to strict security model

    TLR: so you're saying that one level down has access to DA, but I
    think that concern applies to the same way with any web app that
    deals with sensitive data and we're accepting it there
    ... so you say you get a different execution context for iframe
    inside a widget and I think that's risky

    Arve: the only deviation I propose is that <access> applies all the
    way down
    ... as implementers this is simpler too

    TLR: my proposal is if orgin = web then use web model, if origin =
    synthetic then use restricted access model

    AB: let's summarise agreement
    ... and see what we can do about disagreement

    Arve talks of a former Opera proposal

    AB: TLR put forward a proposal that passed the "I can live with"
    test for LC, whereas Arve seems to require more work which would
    delay things
    ... is that fair?

    TLR: I would add that I think we have agreement for anything that
    has come through an intermediary — should go through access control
    ... I think we have disagreement about what happens with inline
    context, and what SM should apply there
    ... I'm saying just web model, and Arve is saying needs further
    constraints

    <arve>
    [6]http://lists.w3.org/Archives/Public/public-appformats/2008Apr/009
    6.html

       [6] http://lists.w3.org/Archives/Public/public-appformats/ 
2008Apr/0096.html

    <arve> specifically,
    [7]http://lists.w3.org/Archives/Public/public-appformats/2008Apr/att
    -0096/w3c-security.html

       [7] http://lists.w3.org/Archives/Public/public-appformats/ 
2008Apr/att-0096/w3c-security.html

    TLR: I can't join on thursday
    ... I can do Wednesday same time

    <arve> marcos: you're not entirely aware of what you're asking,
    because "running a file in a browser" is known to not be
    cross-browser compatible

    AB: I can't but it's okay if you do it without me

    Thursday is a public holiday in many places

    RB: tomorrow same time?

    TLR, AB: fine

    AB: homework, take a look at Arve's model and discuss tomorrow
    ... also think about splitting <access> out of P+C so that P+C could
    proceed through LC

    Arve: before you read the document, understand asumptions that
    externally ref'd documents are still subject to the web SM

    <arve> ... with the addition of network restrictions

    <arve> ... as enforced by config.xml

    TLR: so what's described is what happens in addition to the basic
    security model

    Arve: yes

    TLR: good

    <tlr> conference Team_(wa)11:00Z scheduled with code 83261 (TEAM1)
    tomorrow at 11:00Z for 60 minutes until 1200Z

    <tlr> artb, see above for code for tomorrow

    <tlr> it's actually the same as today

    <ArtB> AB: Same time tomorrow; same channel; different PIN to be
    annouced in this channel

    <ArtB> tlr, roger that

    <ArtB> AB: meeting ajdourned

Summary of Action Items

    [End of minutes]

Received on Monday, 18 May 2009 12:12:44 UTC