Re: [widgets] Widgets URI scheme... it's baaaack!

On Fri, 22 May 2009 19:13:35 +0200, Larry Masinter <masinter@adobe.com>  
wrote:

> What makes a set of widgets "related"? Is there an attack where
> based on UUID knowledge where two unrelated widgets could somehow
> appear "related"?
>
> What "existing infrastructure for security" are you planning
> to reuse?

Not having to rewrite from the bottom up how XMLHttpRequest works, and is  
checked in most user agents, as an example (It goes for a lot of other  
code in DOM).

> Often, security loopholes are introduced when reusing
> security infrastructure designed for one context in
> a way that it wasn't designed for.
>
> "thismessage:/" basically didn't allow references outside
> the package at all. By adding a UUID and alluding to
> "related" packages as possibly being available, "widget"
> might become a vector.
>
> I'm not saying it is, I'm just saying that getting external
> review for security mechanisms and assumptions is critical.
>
> Larry
> --
> http://larry.masinter.net
>
>
> -----Original Message-----
> From: Arve Bersvendsen [mailto:arveb@opera.com]
> Sent: Friday, May 22, 2009 9:55 AM
> To: Larry Masinter; marcosc@opera.com; public-pkg-uri-scheme;  
> public-webapps
> Subject: Re: [widgets] Widgets URI scheme... it's baaaack!
>
> On Fri, 22 May 2009 17:29:57 +0200, Larry Masinter <masinter@adobe.com>
> wrote:
>
>> If the widget: scheme is intended for inter-package references
>> then there are security issues with that. If not, then why the UUID?
>
> At the time of writing, I do not see them being used for inter-package
> references (If my understanding equals yours here, as in "references
> between otherwise unrelated widgets".
>
> The UUID? Well, it actually eases implementations a bit, since an
> implementation can use the UUID as "domain" when requests are made, which
> actually allows vendors to reuse existing infrastructure for security
> checks and so on.


-- 
Arve Bersvendsen

Opera Software ASA, http://www.opera.com/

Received on Friday, 22 May 2009 19:27:22 UTC