[widgets] WARP default policy from Scott Wilson on 2010-05-04 (public-webapps@w3.org from April to June 2010)

From: Scott Wilson <scott.bradley.wilson@gmail.com>
Date: Tue, 4 May 2010 18:29:24 +0100
To: public-webapps WG <public-webapps@w3.org>
Message-Id: <0EFD65F2-4127-4171-AB45-55940DB50C36@gmail.com>

I've just been reading through the WARP spec again, and in particular this stood out:

In the default policy, a user agent must deny access to network resources external to the widget by default, whether this access is requested through APIs (e.g. XMLHttpRequest) or through markup (e.g. iframe, script, img).

I'm not sure if this statement is actually helpful here. While it makes sense that WARP defines policies that widen access beyond whatever the UA's default policy may be, is it strictly necessary to define the default policy? 

For example, this implies that a UA should actively block widgets using JSONp, CORS,  Google's Ajax libraries, CDNs, or even a widget just grabbing its company's icon off their website in an img tag. 

Now there may be UAs who have a default policy that is this strict, but requiring this to be the default policy as a conformance requirement for any WARP implementation seems OTT.

S

Received on Tuesday, 4 May 2010 17:30:01 UTC