- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 19 May 2009 12:07:01 +0200
- To: marcosc@opera.com
- Cc: public-webapps <public-webapps@w3.org>
I'm not particularly happy with this proposal, mostly since it doesn't seem to make the case of "I don't need anything scary" easy. My take on where we were in the end of the call yesterday is as follows: 1. A widget runs in its own domain of trust. 2. Communication of that domain of trust with the network is prohibited by default, but can be turned on selectively. 3. If the permission is turned on selectively, then it becomes possible to have something like an iframe from an origin on the Web involved (or a script tag, or ...). 4. If such an iframe occurs, then the HTML5 security model applies for communication between the different trust domains, with a random origin applying to the widget. 5. If such an iframe occurs, it won't have access to device APIs under the model that the widgets 1.0 spec includes. It might acquire that access later on, e.g. as a result of the device API working group. Example: <access> permits access to the domain foo.com. A widget's main HTML includes something like: <iframe src="http://foo.com/"/> We now have a document object that describes the top-level widget, and a document object that describes the iframe. The top-level widget document object will have a random origin that is distinct from "http://foo.com/ ". That means that the two objects can't script each other, and can only exchange data through postMessage (leaving side channels out of the picture for the moment). The disagreement was whether the iframe from "http://foo.com/" should be able to access network resources that do not "match" "http:// foo.com/". My argument was that I'd prefer to not specify yet another subset of the HTML5 security model. Arve's argument was that attack surface would grow unacceptably, and that, therefore, a Web application that executes within an iframe that can in any way communicate with a widget MUST be constrained in the same way the widget is. Arve, I hope this is a fair summary. Maybe we can start the conversation by reflecting whether any of these points of agreement aren't? -- Thomas Roessler, W3C <tlr@w3.org> On 19 May 2009, at 11:18, Marcos Caceres wrote: > With my "editor" hat on, I would like to propose the following > security model for widgets: > > 1. If no <access> element is used, the application type (e.g., HTML, > Flash, whatever) is responsible for providing the security > context/rules under which the widget runs. For HTML this means that a > widget runs as if you had dragged a HTML file from your hard-drive > into the Web browser. > > Then, it is up to the implementers if they allow such widgets to run > or have access to features (APIs). Distributors may not allow these > widgets to be distributed, but that is their prerogative. > > This defers the security problem to HTML5 or whoever wants to make use > of widgets as a packaging format. HTML5 already has to deal with > situation where HTML files are run locally or with a synthetic origin > (think email attachments). > > 2. If <access> is used, then this is an "op-in" to a "widget security > model" and all network activity is blocked by all means (like a > firewall), except those access requests made via <access> element that > have been granted by the UA. Access requests are granted via the UA > security policy, which is outside the scope of the Widgets spec. > > I personally think <access> should be removed from Widgets 1.0 and > deferred to Widgets 2.0 once it is properly sorted out. > > -- > Marcos Caceres > http://datadriven.com.au >
Received on Tuesday, 19 May 2009 10:07:19 UTC