Re: [widgets] WARP default policy

On Tue, May 4, 2010 at 7:29 PM, Scott Wilson
<scott.bradley.wilson@gmail.com> wrote:
> I've just been reading through the WARP spec again, and in particular this
> stood out:
> In the default policy, a user agent must deny access to network
> resources external to the widget by default, whether this access is
> requested through APIs (e.g. XMLHttpRequest) or through markup
> (e.g. iframe, script, img).

> I'm not sure if this statement is actually helpful here. While it makes
> sense that WARP defines policies that widen access beyond whatever the UA's
> default policy may be, is it strictly necessary to define the default
> policy?

I agree, this is unhelpful in the way it is written. This assumes that
the default policy is "about:blank" or "widget:" (and even for those,
the default policy is not defined - that is, HTML5, AFAIK, does not
define about:blank and widget: does not defined a default policy).
That is wrong IMO. Wookie demonstrates that by embedding the widget
within a web page the widget's security model will be the one given by
the browser.

In the case of wookie, CORS makes more sense than WARP. WARP is only
really suitable for when the widget is relying on a restrictive
security context implied by a given origin (i.e., if origin is
"widget://xxx" or other non-Web one, then WARP applies; Else, if
origin is from http/https the web (HTML5) security model applies).

> For example, this implies that a UA should actively block widgets using
> JSONp, CORS,  Google's Ajax libraries, CDNs, or even a widget just grabbing
> its company's icon off their website in an img tag.

Agree.

> Now there may be UAs who have a default policy that is this strict, but
> requiring this to be the default policy as a conformance requirement for any
> WARP implementation seems OTT.

Agree.



-- 
Marcos Caceres
Opera Software ASA, http://www.opera.com/
http://datadriven.com.au

Received on Wednesday, 5 May 2010 08:35:16 UTC