- From: Jose Dinuncio <jdinunci@uc.edu.ve>
- Date: Thu, 10 Jun 2004 14:24:10 -0400
El jue, 10-06-2004 a las 11:32, Ian Hickson escribi?: > On Thu, 10 Jun 2004, Jose Dinuncio wrote: > >>> > >>> *) There is a need for WAOB: In intranets, security of the web app > >>> downloaded is not a concern. In client-server applications, it would be > >>> nice to download an always-up-to-date thin client every time you need > >>> it. > >> > >> How can you tell if the intranet content is trusted or not? > > > > I don't see wich is the diference on security concerns between using an > > intranet inside the browser vs. outside the browser. > > There are several problems. First, how do you know it's an intranet page? > > Second, why are you assuming everyone in the intranet is trusted? There > are many scenarios -- for example, school networks -- where the intranet > is even more hostile than the internet. I think I've understood the reason of our divergences. If I interpret you rightly, the problem is that a intranet user is visiting a insecure site inside the intranet and a web app pops up and he is fooled to use this app. The scenario I have in mind is another one: you need to do your job using several well known web apps in your intranet. You know that the CRM apps is at http://mydoamin.com/crm. That's it: navigation vs. app delivery. I don't see web apps just as an improved www, but as well as a replacement in several circumstances. And again, there is no hostile enviroment that affect in special way web apps outside browser. > >>> *) The cost of add this feature in the SPEC is not so big: It is Web > >>> forms outside html. Substract CSS and add the window and layout tags, > >>> and that's all. > >> > >> I don't see why you have to substract CSS, but sure, actually doing a > >> chromeless Web page is easy. > > > > What I mean is, since web forms are not inside a html doc (in my wildest > > dreams at least) there's not <table> or <p> or CSS to help you in the > > componets layout. So the layout is determined by <hlayout>, <vlayout> > > and friends. > > Presentational markup is very bad for accessibility. Whatever language you > use, you would want it to be semantic. And luckily we have this semantic > language right here and already supported in several browsers... HTML. :-) Ok. But if web apps outside the browser are to be implemented, it would be necessary a way to attach info to the window (again, menu bar, control bar, status bar, close button...) > >> The biggest problem is simply: How can you tell that the content you > >> have is trusted enough that it should be run without any of the browser > >> chrome? > > > > This is a problem that goes beyond any SPEC. The browser chrome won't > > help you to determine what the app is doing behind scenes, anyway. > > No but it will tell you whether the application is from www.paypal.com or > hostile.intranet.example.com, even if the actual content looks identical > in both. Security by browser chrome doesn't seem the way to go. > > Security concerns are orthogonal to the web app being executed inside or > > outside the browser. > > Security, yes, but we're talking about spoofing, and trust, and that is > not at all unrelated. It is in fact the major issue. Yes, but again, this apply both tho web apps inside and outside the browser. A complete answer, if possible, stand on several technologies and is applicable in both cases. I'm trying to keep open a path to WAOB. I think this feature can play an important role in the future of this project. -- Jose Dinuncio <jdinunci at uc.edu.ve> Universidad de Carabobo
Received on Thursday, 10 June 2004 11:24:10 UTC