Re: [widgets] API - openURL security considerations from Marcos Caceres on 2010-05-04 (public-webapps@w3.org from April to June 2010)

From: Marcos Caceres <marcosc@opera.com>
Date: Tue, 4 May 2010 14:10:54 +0200
To: Thomas Roessler <tlr@w3.org>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <v2ib21a10671005040510l8f51c78fh5801d833029c4e4f@mail.gmail.com>

On Thu, Feb 18, 2010 at 11:50 AM, Thomas Roessler <tlr@w3.org> wrote:
> Marcos,
>
> first of all, kudos for thinking about security considerations for this method.  I'm glad you're considering factors like interaction flooding and tons of windows opening.

Thanks

> Reviewing the spec text:
> http://www.w3.org/TR/2009/CR-widgets-apis-20091222/#the-openurl-method
>
> ... I wonder whether the specification actually says that openURL will ever return upon success.  You say that the widget's browsing context must not be navigated ("for security reasons" -- which ones?  Access to special features within the widget context?)  -- but do you forbid simply destroying the widget (or never returning) when openURL is invoked?
>

Right. I have clarified this:

[[
A user agent must not navigate the browsing context of a widget
instance through the openURL() method: the concept of navigate is
defined in [HTML5]. This restriction is imposed so an arbitrary web
site cannot gain access to special features, such as those potentially
declared through the configuration document's feature element, that
may be enabled within the widget context.
]]

>
> If the method never returns, then the attack you're concerned about is probably infeasible (which would be good news); it would also tie widgets into a very specific application model that I don't know is desirable.  You probably want to clarify this.
>

I kinda get what you are saying here, but I'm having trouble
articulating it in the spec. Can you explain this a bit more or
provide an example.

> So, to the security considerations:
>
> - if openURL can be executed multiple times, then pretty much everything one can say about pop-ups applies.

By "everything one can say about pop-ups", should I reference
something from the "Web Security Context: User Interface Guidelines"?:

http://www.w3.org/TR/2010/WD-wsc-ui-20100309/#popups

> - as Adam said, file: URIs deserve some extra thought

I responded to Adam and CC'd you:

http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0439.html

> - it's perhaps worthwhile to spell out to implementers that there are many ways to write a URI handler that isn't safe, e.g., assuming that just because a scheme has a particular syntax that syntax is actually followed.
>

What would be some recommendations for guarding against malformed URIs?

-- 
Marcos Caceres
Opera Software ASA, http://www.opera.com/
http://datadriven.com.au

Received on Tuesday, 4 May 2010 12:11:48 UTC