[widgets] API - openURL security considerations from Marcos Caceres on 2010-02-08 (public-webapps@w3.org from January to March 2010)

From: Marcos Caceres <marcosc@opera.com>
Date: Mon, 08 Feb 2010 17:36:57 +0100
To: public-webapps <public-webapps@w3.org>
Message-ID: <4B703DA9.8060903@opera.com>

At Opera we've been discussing some of the security implications around 
the openURL method in the widgets API spec. We think the spec might 
benefit if we were to add a non-normative security consideration section 
for openURL.

We are basically concerned about protecting against a simple attack such as:

while(true){
   openURL("http://...");
}

The following text, which I did not write, can serve as a basis for the 
note - we are presenting it here for discussion, and you'll note it uses 
different terminology than the one found in the spec. In other words, 
please don't consider the following to be spec text, it needs a fair 
amount of editing but tries to get to the heart of the problem:

[[
APIs to open external programs, such as opening a URL in a browser, 
SHOULD only be allowed automatically if the widget has focus. Opening 
such an external program, SHOULD result in the widget losing focus, for 
the purpose of opening more external programs. User interaction with the 
widget may restore the focus to the widget. Widget Managers MAY offer a 
dialog for other attempts to open external programs, or MAY fail the 
operation. User agents MAY also offer an override for users to allow a 
widget to open external programs automatically, even when minimized in 
the background.

Security considerations: Widgets may have managed run-time constraints, 
for instance on memory usage or domain access, and opening multiple 
instances of external programs may easily exceed those constraints. 
External programs may present dialogs to perform harmful actions, e.g. 
download dialogs, and multiple new windows in a short time span may 
allow for interaction flooding attacks or may lead to warning fatigue. 
This security measure ensures that users get a reasonable chance to 
manage the run-time constraints, and ensures that only one external 
program and/or dialog can be opened at a time.
See http://www.w3.org/TR/wsc-ui/#popups for more details.
]]

We would appreciate any feedback people have about the proposed text.

Received on Monday, 8 February 2010 16:37:33 UTC