- From: Marcos Caceres <marcosc@opera.com>
- Date: Mon, 08 Feb 2010 17:36:57 +0100
- To: public-webapps <public-webapps@w3.org>
At Opera we've been discussing some of the security implications around the openURL method in the widgets API spec. We think the spec might benefit if we were to add a non-normative security consideration section for openURL. We are basically concerned about protecting against a simple attack such as: while(true){ openURL("http://..."); } The following text, which I did not write, can serve as a basis for the note - we are presenting it here for discussion, and you'll note it uses different terminology than the one found in the spec. In other words, please don't consider the following to be spec text, it needs a fair amount of editing but tries to get to the heart of the problem: [[ APIs to open external programs, such as opening a URL in a browser, SHOULD only be allowed automatically if the widget has focus. Opening such an external program, SHOULD result in the widget losing focus, for the purpose of opening more external programs. User interaction with the widget may restore the focus to the widget. Widget Managers MAY offer a dialog for other attempts to open external programs, or MAY fail the operation. User agents MAY also offer an override for users to allow a widget to open external programs automatically, even when minimized in the background. Security considerations: Widgets may have managed run-time constraints, for instance on memory usage or domain access, and opening multiple instances of external programs may easily exceed those constraints. External programs may present dialogs to perform harmful actions, e.g. download dialogs, and multiple new windows in a short time span may allow for interaction flooding attacks or may lead to warning fatigue. This security measure ensures that users get a reasonable chance to manage the run-time constraints, and ensures that only one external program and/or dialog can be opened at a time. See http://www.w3.org/TR/wsc-ui/#popups for more details. ]] We would appreciate any feedback people have about the proposed text.
Received on Monday, 8 February 2010 16:37:33 UTC