- From: Marcos Caceres <marcosc@opera.com>
- Date: Mon, 26 Oct 2009 19:45:49 +0200
- To: public-webapps <public-webapps@w3.org>, Thomas Roessler <tlr@w3.org>
In order to register application/widgets as an official MIME type with IANA, we need to have a section in the spec that outlines the security considerations. I've made a first stab at this section (below)... but I'm no security peep, so I would appreciate some input from those that know better... [[ Security considerations This section is non-normative. In addition to the security considerations specified for Zip files in the [Zip-MIME] registration, there are a number of security considerations that need to be taken into account when dealing with widget packages and configuration documents. As the configuration document format is [XML] and [Unicode], the security considerations described in [XML-MIME] and [UTR36] apply. The configuration document allows authors, through the feature element, to request permission to enable third-party runtime components and APIs. As these features are outside the scope of this specification, significant caution needs to be taken when granting a widget the capability to use a feature. Features themselves define their own security considerations. Widget packages will generally contain ECMAscript, HTML, CSS files, and other media, which are executed in a sand boxed environment. As such, implementers need to be aware of the security implications for the types they support. Specifically, implementers need to consider the security implications outlined in the [CSS-MIME] specification, the [ECMAScript-MIME], and the [HTML-MIME] specification. As this specification relies on the standardized heuristics for determining the content type of files defined in the SNIFF specification, implementers need to consider the security considerations discussed in the [SNIFF] specification. As this specification allows for the declaration of IRIs within certain elements of a configuration documents, implementers need to consider the security considerations discussed in the [IRI] specification. ]] -- Marcos Caceres http://datadriven.com.au
Received on Monday, 26 October 2009 17:46:44 UTC