- From: Marcin Hanclik <Marcin.Hanclik@access-company.com>
- Date: Tue, 27 Oct 2009 17:27:22 +0100
- To: "marcosc@opera.com" <marcosc@opera.com>
- CC: public-webapps <public-webapps@w3.org>, Thomas Roessler <tlr@w3.org>
Hi Marcos, Fine for me. Thanks, Marcin Marcin Hanclik ACCESS Systems Germany GmbH Tel: +49-208-8290-6452 | Fax: +49-208-8290-6465 Mobile: +49-163-8290-646 E-Mail: marcin.hanclik@access-company.com -----Original Message----- From: marcosscaceres@gmail.com [mailto:marcosscaceres@gmail.com] On Behalf Of Marcos Caceres Sent: Tuesday, October 27, 2009 5:23 PM To: Marcin Hanclik Cc: public-webapps; Thomas Roessler Subject: Re: [Widgets] Security Considerations On Tue, Oct 27, 2009 at 5:38 PM, Marcin Hanclik <Marcin.Hanclik@access-company.com> wrote: > Hi Marcos, > > I think the section below is ok. > FWIW: > 1. As in [1] we could add more detailed statements about HTML tags. I could, but this might be mostly outdated because of HTML5. > 2. Also together with the term "security" we could add "privacy". Added. > So e.g. we may have another paragraph like this (the below text may need more details): > > "Widget packages may contain content that is able to interact both with the remote host and local device. > Therefore, implementers need to take into account the privacy-related implications resulting from the potential exposure of private information to the remote host given the relevant programming interface / model is defined." > I tried to shorten it and included it... details below... > 3. [2] has a more thorough list of considerations that seem to be related to widgets, but more in the context of DAP. Anyway some of them could be reflected in the registration of application/widget. > > [1] http://tools.ietf.org/html/rfc4287#section-8 > [2] http://dev.w3.org/geo/api/spec-source.html#security > Ok, I took from [2] and got: "As widget packages can contain content that is able to simultaneously interact with the local device and a remote host, implementers need to consider the privacy implications resulting from exposing private information to a remote host. Mitigation and in-depth defensive measures are an implementation responsibility and not prescribed by this specification. However, in designing these measures, implementers are advised to enable user awareness of information sharing, and to provide easy access to interfaces that enable revocation of permissions. " -- Marcos Caceres http://datadriven.com.au ________________________________________ Access Systems Germany GmbH Essener Strasse 5 | D-46047 Oberhausen HRB 13548 Amtsgericht Duisburg Geschaeftsfuehrer: Michel Piquemal, Tomonori Watanabe, Yusuke Kanda www.access-company.com CONFIDENTIALITY NOTICE This e-mail and any attachments hereto may contain information that is privileged or confidential, and is intended for use only by the individual or entity to which it is addressed. Any disclosure, copying or distribution of the information by anyone else is strictly prohibited. If you have received this document in error, please notify us promptly by responding to this e-mail. Thank you.
Received on Tuesday, 27 October 2009 16:28:17 UTC