On Tue, May 4, 2010 at 10:29 AM, Scott Wilson < [email protected]> wrote:
> I've just been reading through the WARP spec again, and in particular this > stood out: > > In the default policy, a user > agent<http://www.w3.org/TR/widgets-access/#dfn-user-agent> > *must* deny access <http://www.w3.org/TR/widgets-access/#dfn-deny-access> > to network > resources<http://www.w3.org/TR/widgets-access/#dfn-network-resource> external > to the widget by default, whether this access is requested through APIs > (e.g. XMLHttpRequest) or through markup (e.g. iframe, script, img). > > I'm not sure if this statement is actually helpful here. While it makes > sense that WARP defines policies that widen access beyond whatever the UA's > default policy may be, is it strictly necessary to define the default > policy? > > For example, this implies that a UA should actively block widgets using > JSONp, CORS, Google's Ajax libraries, CDNs, or even a widget just grabbing > its company's icon off their website in an img tag. > If these were limited to Uniform Messages, how much of a need would there still be to disallow them? What would the remaining threats be? > > Now there may be UAs who have a default policy that is this strict, but > requiring this to be the default policy as a conformance requirement for any > WARP implementation seems OTT. > > S > > > -- Cheers, --MarkM
