- From: Marcos Caceres <marcosc@opera.com>
- Date: Tue, 4 May 2010 14:10:54 +0200
- To: Thomas Roessler <tlr@w3.org>
- Cc: public-webapps <public-webapps@w3.org>
On Thu, Feb 18, 2010 at 11:50 AM, Thomas Roessler <tlr@w3.org> wrote: > Marcos, > > first of all, kudos for thinking about security considerations for this method. I'm glad you're considering factors like interaction flooding and tons of windows opening. Thanks > Reviewing the spec text: > http://www.w3.org/TR/2009/CR-widgets-apis-20091222/#the-openurl-method > > ... I wonder whether the specification actually says that openURL will ever return upon success. You say that the widget's browsing context must not be navigated ("for security reasons" -- which ones? Access to special features within the widget context?) -- but do you forbid simply destroying the widget (or never returning) when openURL is invoked? > Right. I have clarified this: [[ A user agent must not navigate the browsing context of a widget instance through the openURL() method: the concept of navigate is defined in [HTML5]. This restriction is imposed so an arbitrary web site cannot gain access to special features, such as those potentially declared through the configuration document's feature element, that may be enabled within the widget context. ]] > > If the method never returns, then the attack you're concerned about is probably infeasible (which would be good news); it would also tie widgets into a very specific application model that I don't know is desirable. You probably want to clarify this. > I kinda get what you are saying here, but I'm having trouble articulating it in the spec. Can you explain this a bit more or provide an example. > So, to the security considerations: > > - if openURL can be executed multiple times, then pretty much everything one can say about pop-ups applies. By "everything one can say about pop-ups", should I reference something from the "Web Security Context: User Interface Guidelines"?: http://www.w3.org/TR/2010/WD-wsc-ui-20100309/#popups > - as Adam said, file: URIs deserve some extra thought I responded to Adam and CC'd you: http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0439.html > - it's perhaps worthwhile to spell out to implementers that there are many ways to write a URI handler that isn't safe, e.g., assuming that just because a scheme has a particular syntax that syntax is actually followed. > What would be some recommendations for guarding against malformed URIs? -- Marcos Caceres Opera Software ASA, http://www.opera.com/ http://datadriven.com.au
Received on Tuesday, 4 May 2010 12:11:48 UTC