- From: Charles McCathieNevile <chaals@opera.com>
- Date: Fri, 27 Jan 2012 12:54:52 +0100
- To: "Tim Berners-Lee" <timbl@w3.org>, "Ian Hickson" <ian@hixie.ch>
- Cc: public-webapps@w3.org, "Thomas Roessler" <tlr@w3.org>, "Michael(tm) Smith" <mike@w3.org>
On Fri, 20 Jan 2012 20:32:33 +0100, Ian Hickson <ian@hixie.ch> wrote: > On Fri, 20 Jan 2012, Tim Berners-Lee wrote: >> There of course places where XHR is used and there is no >> cross-sitescripting security needed >> >> 1) in a browser extension >> 2) in node.js code trusted apps > > These aren't the Web, so they're probably out of scope of the CORS and > XHR specs, but Anne can comment if he disagrees. :-) I'm not Anne, but I disagree with both of you. These things are related to the Web and have the potential to become part of it, and the idea that they don't need to worry about security in the way the web does seems to me ridiculous, for the reasons Ian outlines below... >> 3) in web apps when web apps can, in I hope the near future, be >> installed, and flagged as trusted code > > Personally I think the idea of "installing" a Web app is anathema. The range of options for web apps which go from using local storage through appcache to full installability means that this horse seems to have bolted. Personally I think that's a good thing - being able to work with the Web even when there isn't a permanent and perfect connection is still important (as I was reminded again this month when trying to use normal infrastructure in Melbourne Australia...). There are plenty of use cases for some kind of installability, just as there is lots of use for bits of the Web behind a firewall (every time someone tries to share something with me developed using Google's services I am required to have a Google log-in - the fact that the firewall includes zillions of people doesn't make it public, just as it doesn't mean that it isn't "on the Web"). > The best thing about Web apps is that the browser can be trusted such > that even the most hostile app can't do anything bad. This is not true. One of the good things about the Web is that it has a robust security model (compared to alternatives) which is designed to protect users from hostile apps to a greater extent than other platforms. IMHO (and I think this is simply a subjective assertion of values rather than a question that can be objectively determined) the best thing about web apps is that they are built with a very widespread, well understood and relatively simple technology stack that is successfully implemented by many providers, such that no provider cannot be replaced. > If we start allowing users to install apps, we'll just change the > security model of the Web from "you can't do anything bad without an > implicit permission gesture from the user" to "all you have to do is > convince the user to install you and then you can own them". Only if we make the assumption Tim made above - which I think is based in turn on the assumption that installable web apps come from one source. Having to go through some particular app store for them leads to such an assumption. It also breaks important use cases. It should be straightforward for ACME co to produce a web app that is useful for its employees, and distribute it internally from some trusted point. They should also be able to distribute that to others, either directly (based on other people trusting ACME) or through a third party which people trust (widgets.opera.com or google's app store or appsRus or whoever...) This requires a trust and security model where the decisions can be made by a user, or further back in the distribution chain. > Basically, moving us from the Web's security model today, a fantastic > and successful security model that has withstood a decade or more of > sustained attack, to the Windows security model. I think you're overstating the success of the Web security model, and missing the fact that it has caused us to have a web which until recently is far less capable than installed applications. But yes, as I said above in agreement with you, the model is designed to match reality better than most of the alternatives, and we should think carefully before abandoning it any time we are tempted to do so... cheers Chaals -- Charles 'chaals' McCathieNevile Opera Software, Standards Group je parle français -- hablo español -- jeg kan litt norsk http://my.opera.com/chaals Try Opera: http://www.opera.com
Received on Friday, 27 January 2012 11:55:25 UTC