[Widgets] Security Considerations

In order to register application/widgets as an official MIME type with
IANA, we need to have a section in the spec that outlines the security
considerations. I've made a first stab at this section (below)... but
I'm no security peep, so I would appreciate some input from those that
know better...

[[
Security considerations

This section is non-normative.

In addition to the security considerations specified for Zip files in
the [Zip-MIME] registration, there are a number of security
considerations that need to be taken into account when dealing with
widget packages and configuration documents.

As the configuration document format is [XML] and [Unicode], the
security considerations described in [XML-MIME] and [UTR36] apply.

The configuration document allows authors, through the feature
element, to request permission to enable third-party runtime
components and APIs. As these features are outside the scope of this
specification, significant caution needs to be taken when granting a
widget the capability to use a feature. Features themselves define
their own security considerations.

Widget packages will generally contain ECMAscript, HTML, CSS files,
and other media, which are executed in a sand boxed environment. As
such, implementers need to be aware of the security implications for
the types they support. Specifically, implementers need to consider
the security implications outlined in the [CSS-MIME] specification,
the [ECMAScript-MIME], and the [HTML-MIME] specification.

As this specification relies on the standardized heuristics for
determining the content type of files defined in the SNIFF
specification, implementers need to consider the security
considerations discussed in the [SNIFF] specification.

As this specification allows for the declaration of IRIs within
certain elements of a configuration documents, implementers need to
consider the security considerations discussed in the [IRI]
specification.

]]

-- 
Marcos Caceres
http://datadriven.com.au

Received on Monday, 26 October 2009 17:46:44 UTC