Re: [widgets] API - openURL security considerations from timeless on 2010-02-11 (public-webapps@w3.org from January to March 2010)

From: timeless <timeless@gmail.com>
Date: Thu, 11 Feb 2010 21:52:06 +0200
To: Marcos Caceres <marcosc@opera.com>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <26b395e61002111152g306a274cse5aaf69e944d878c@mail.gmail.com>

On Mon, Feb 8, 2010 at 6:36 PM, Marcos Caceres <marcosc@opera.com> wrote:
> At Opera we've been discussing some of the security implications around the
> openURL method in the widgets API spec. We think the spec might benefit if
> we were to add a non-normative security consideration section for openURL.

> The following text, which I did not write, can serve as a basis for the note
> - we are presenting it here for discussion, and you'll note it uses
> different terminology than the one found in the spec. In other words, please
> don't consider the following to be spec text, it needs a fair amount of
> editing but tries to get to the heart of the problem:

Personally, I'd rather suggest that openURL not be treated as
"openURL" but "add url to suggested links".

I have a blog draft that tries to explain it, but basically, an
application has no reason to ask another application to open urls.
Instead it should have the ability to give the user a series of urls
which the user can treat as a bookmark list. If the user chooses to
open one or more of those bookmarks, fine, however, if the user closes
the application, having decided that the bookmarks aren't interesting,
then they're gone.

http://viper.haque.net/~timeless/blog/2/popups/ is the write-up, it's
actually the oldest thing in my blog :).

Note that my opinion has nothing specifically to do with widgets, I
don't approve of random applications on my computer launching my web
browser and ordering it to go somewhere. I'd rather my web browser
just collect those suggestions and enable me to decide whether *I*
want to go to some of them, and if so, which, and of course, at the
time of my choosing.

Note that in the case where a user actually trusts another application
on their system, the user is free to use drag and drop to pull a url
into the web browser, that would bypass the suggestion behavior. In
the case of widgets, I don't think that such a feature should be
supported because there's too much risk that the user is tricked into
dragging something dangerous and changing the security principals of
the source.

Received on Thursday, 11 February 2010 19:52:40 UTC