W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [widgets] What does it mean to have an unavailable API

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 4 Jun 2009 00:25:34 -0700
Message-ID: <63df84f0906040025t2cb2af08s28164f854eb2c1d9@mail.gmail.com>
To: Marcin Hanclik <Marcin.Hanclik@access-company.com>
Cc: Scott Wilson <scott.bradley.wilson@gmail.com>, Henri Sivonen <hsivonen@iki.fi>, public-webapps <public-webapps@w3.org>
On Wed, Jun 3, 2009 at 3:16 AM, Marcin Hanclik
<Marcin.Hanclik@access-company.com> wrote:
> Hi Jonas,
> requestFeature() is mainly (still debated, though) for websites, i.e. online content where the <feature> is not present.
> <feature> is for packaged widgets only.

Ah, so requestFeature() is a BONDI spec, not a widget spec?

>>>However this does not seem to be true
>>>if the exploited code could simply call requestFeature() first, and
>>>then use the feature.
> Calling requestFeature() does not mean that the security aspects are omitted.
> The check against the security policy happens when requestFeature() is called.

As it was described to me by Marcos earlier in this thread, <feature>
was used so that a widget could statically declare which security
sensitive features it desired to use. This added security because if
the widget was hacked, it could never use more security sensitive
functionality than what had been statically declared using <feature>.

So for example a widget that displays the current time would not need
to claim access to any security sensitive APIs like camera or network
access. This way it wasn't such a big deal if someone managed to hack
the camera widget and get malicious code to run in the widgets
security context, since that malicious code would not have access to
camera or network.

But if the malicious code could simply call requestFeature to gain
access to camera, the above description no longer holds true.

/ Jonas
Received on Thursday, 4 June 2009 07:26:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC