Re: [widget] Security model

On Tue, May 26, 2009 at 12:01 AM, Adam Barth <w3c@adambarth.com> wrote:
> On Mon, May 25, 2009 at 2:34 PM, Marcos Caceres <marcosc@opera.com> wrote:
>> should the following inline resources load?
>>
>> <html>
>> <script src="'http://foo.com"/> </script>
>> <img src="http://foo.com/image">
>> <iframe src="http://bar.com">
>
> I haven't studied the widgets use case in detail, but these sorts of
> loads usually aren't restricted.  If it's find for attacker.com to
> load these resources, why would it be problematic for widgets to load
> them?

Yes! these are exactly the questions I'm trying to get answers to :)

>> And what is the origin?
>
> The origin is the scheme, host, and port of the document's URL.

I know what "origin" means, what I was asking is what is the origin
for the widget example above? (for fun, pretend I sent the widget to
you over BlueTooth)

In the spec, Widgets have no "origin" at this point. We are trying to
create a widget:// uri scheme.

http://dev.w3.org/2006/waf/widgets-uri

>> I'm not interested in getting bogged down in complex terminology,
>> fancy pants RFCs, and things that are hard to understand, at this
>> point. I just want to take the average widget developer (me) point of
>> view in an effort to understand how it works (or not) in practice.
>
> To what practice are you referring?  Are there deployed widgets that
> have already made assumptions about these behaviors?

I'm referring to my own personal practice. I want to develop some of
these W3C widget things, I hear they are pretty neat.

Yes, there is an assumption that you should be able to create a web
page, a web page for the iphone, a W3C widget, and they should all
work seamlessly.
See this misleading blog post:
http://www.quirksmode.org/blog/archives/2009/04/introduction_to.html
... it highlights what developers are expecting.

-- 
Marcos Caceres
http://datadriven.com.au

Received on Monday, 25 May 2009 22:25:09 UTC