RE: security model of Web Components, etc. - joint work with WebAppSec? from Hill, Brad on 2013-03-15 (public-webapps@w3.org from January to March 2013)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Fri, 15 Mar 2013 16:37:22 +0000
To: public-webapps <public-webapps@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E27965368@DEN-EXDDA-S12.corp.ebay.com>

As I mentioned in my introductory message, I am specifically interested in the security model of components loaded cross-origin - do they get complete control of the application / DOM into which they are loaded?  Does an application have any ability to restrict or explicitly pass capabilities to a cross-origin component?

-Brad Hill

> -----Original Message-----
> From: Arthur Barstow [mailto:art.barstow@nokia.com]
> Sent: Friday, March 15, 2013 7:20 AM
> To: Hill, Brad; Dimitri Glazkov
> Cc: public-webappsec@w3.org; public-webapps
> Subject: Re: security model of Web Components, etc. - joint work with
> WebAppSec?
> 
> On 3/14/13 8:16 PM, ext Charles McCathie Nevile wrote:
> > On Thu, 14 Mar 2013 18:15:14 +0100, Dimitri Glazkov
> > <dglazkov@chromium.org> wrote:
> >
> >> On Thu, Mar 14, 2013 at 7:10 AM, Hill, Brad <bhill@paypal-inc.com>
> >> wrote:
> >>
> >>> Is there time available on the April F2F agenda for discussion of this?
> >>> If not in WebApps, would relevant WG members be willing to join us
> >>> if we found time to discuss in WebAppSec's timeslot Thursday or
> >>> Friday?
> >>>
> >> http://www.w3.org/wiki/Webapps/April2013Meeting#Potential_Topics
> >> Shows agenda wide open so far. Should we just plop something into one
> >> of the slots?
> >
> > Yep, that's a reasonable thing to do...
> 
> I allocated a slot for the joint meeting on Thursday from 2:30-3:00. If anyone
> thinks more time is needed, please speak up.
> 
> Please use public-webapps@w3.org for _all_ Web Components discussions and
> I encourage feedback, comments, etc. in _advance_ of the meeting.
> 
> FYI Brad, Dimitri and the Editors have created a suite of Web Components
> specs. The set of specs that have already been published is:
> 
> * Web Components Introduction
> <http://dvcs.w3.org/hg/webcomponents/raw-file/tip/explainer/index.html>
> 
> * HTML Templates
> <http://dvcs.w3.org/hg/webcomponents/raw-
> file/tip/spec/templates/index.html>
> 
> * Shadow DOM
> <http://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/shadow/index.html>
> 
> There is at least one unpublished ED (not sure if this is ready yet for security
> review):
> 
> * Web Components (<link rel=components> and Components API)
> <https://dvcs.w3.org/hg/webcomponents/raw-
> file/tip/spec/components/index.html>
> 
> Dimitri - if you can think of specific areas of potential security concerns you
> would like reviewed or if I missed any specs, please let us know.
> 
> -Thanks, ArtB
> 
> 
> >
> > cheers
> >
> > Chaals
> >

Received on Friday, 15 March 2013 16:37:52 UTC