- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 4 May 2010 14:45:09 -0700
- To: "Mark S. Miller" <erights@google.com>
- Cc: Scott Wilson <scott.bradley.wilson@gmail.com>, public-webapps WG <public-webapps@w3.org>
On Tue, May 4, 2010 at 2:37 PM, Mark S. Miller <erights@google.com> wrote: > On Tue, May 4, 2010 at 10:29 AM, Scott Wilson > <scott.bradley.wilson@gmail.com> wrote: >> >> I've just been reading through the WARP spec again, and in particular this >> stood out: >> In the default policy, a user agent must deny access to network >> resources external to the widget by default, whether this access is >> requested through APIs (e.g. XMLHttpRequest) or through markup >> (e.g. iframe, script, img). >> I'm not sure if this statement is actually helpful here. While it makes >> sense that WARP defines policies that widen access beyond whatever the UA's >> default policy may be, is it strictly necessary to define the default >> policy? >> For example, this implies that a UA should actively block widgets using >> JSONp, CORS, Google's Ajax libraries, CDNs, or even a widget just grabbing >> its company's icon off their website in an img tag. > > If these were limited to Uniform Messages, how much of a need would there > still be to disallow them? What would the remaining threats be? Would it allow reading resources behind corporate firewalls using a browser running on a computer behind said firewall? / Jonas
Received on Tuesday, 4 May 2010 21:46:01 UTC