Re: security model of Web Components, etc. - joint work with WebAppSec?
On 3/14/13 8:16 PM, ext Charles McCathie Nevile wrote: On Thu, 14 Mar 2013 18:15:14 +0100, Dimitri Glazkov dglaz...@chromium.org wrote: On Thu, Mar 14, 2013 at 7:10 AM, Hill, Brad bh...@paypal-inc.com wrote: Is there time available on the April F2F agenda for discussion of this? If not in WebApps, would relevant WG members be willing to join us if we found time to discuss in WebAppSec’s timeslot Thursday or Friday? http://www.w3.org/wiki/Webapps/April2013Meeting#Potential_Topics Shows agenda wide open so far. Should we just plop something into one of the slots? Yep, that's a reasonable thing to do... I allocated a slot for the joint meeting on Thursday from 2:30-3:00. If anyone thinks more time is needed, please speak up. Please use public-webapps@w3.org for _all_ Web Components discussions and I encourage feedback, comments, etc. in _advance_ of the meeting. FYI Brad, Dimitri and the Editors have created a suite of Web Components specs. The set of specs that have already been published is: * Web Components Introduction http://dvcs.w3.org/hg/webcomponents/raw-file/tip/explainer/index.html * HTML Templates http://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/templates/index.html * Shadow DOM http://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/shadow/index.html There is at least one unpublished ED (not sure if this is ready yet for security review): * Web Components (link rel=components and Components API) https://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/components/index.html Dimitri - if you can think of specific areas of potential security concerns you would like reviewed or if I missed any specs, please let us know. -Thanks, ArtB cheers Chaals
RE: security model of Web Components, etc. - joint work with WebAppSec?
As I mentioned in my introductory message, I am specifically interested in the security model of components loaded cross-origin - do they get complete control of the application / DOM into which they are loaded? Does an application have any ability to restrict or explicitly pass capabilities to a cross-origin component? -Brad Hill -Original Message- From: Arthur Barstow [mailto:art.bars...@nokia.com] Sent: Friday, March 15, 2013 7:20 AM To: Hill, Brad; Dimitri Glazkov Cc: public-webapp...@w3.org; public-webapps Subject: Re: security model of Web Components, etc. - joint work with WebAppSec? On 3/14/13 8:16 PM, ext Charles McCathie Nevile wrote: On Thu, 14 Mar 2013 18:15:14 +0100, Dimitri Glazkov dglaz...@chromium.org wrote: On Thu, Mar 14, 2013 at 7:10 AM, Hill, Brad bh...@paypal-inc.com wrote: Is there time available on the April F2F agenda for discussion of this? If not in WebApps, would relevant WG members be willing to join us if we found time to discuss in WebAppSec's timeslot Thursday or Friday? http://www.w3.org/wiki/Webapps/April2013Meeting#Potential_Topics Shows agenda wide open so far. Should we just plop something into one of the slots? Yep, that's a reasonable thing to do... I allocated a slot for the joint meeting on Thursday from 2:30-3:00. If anyone thinks more time is needed, please speak up. Please use public-webapps@w3.org for _all_ Web Components discussions and I encourage feedback, comments, etc. in _advance_ of the meeting. FYI Brad, Dimitri and the Editors have created a suite of Web Components specs. The set of specs that have already been published is: * Web Components Introduction http://dvcs.w3.org/hg/webcomponents/raw-file/tip/explainer/index.html * HTML Templates http://dvcs.w3.org/hg/webcomponents/raw- file/tip/spec/templates/index.html * Shadow DOM http://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/shadow/index.html There is at least one unpublished ED (not sure if this is ready yet for security review): * Web Components (link rel=components and Components API) https://dvcs.w3.org/hg/webcomponents/raw- file/tip/spec/components/index.html Dimitri - if you can think of specific areas of potential security concerns you would like reviewed or if I missed any specs, please let us know. -Thanks, ArtB cheers Chaals
RE: security model of Web Components, etc. - joint work with WebAppSec?
Is there time available on the April F2F agenda for discussion of this? If not in WebApps, would relevant WG members be willing to join us if we found time to discuss in WebAppSec's timeslot Thursday or Friday? From: dglaz...@google.com [mailto:dglaz...@google.com] On Behalf Of Dimitri Glazkov Sent: Monday, March 11, 2013 1:23 PM To: Arthur Barstow Cc: Hill, Brad; public-webapp...@w3.org; WebApps WG (public-webapps@w3.org) Subject: Re: security model of Web Components, etc. - joint work with WebAppSec? On Sat, Mar 9, 2013 at 4:36 AM, Arthur Barstow art.bars...@nokia.commailto:art.bars...@nokia.com wrote: [ Apology for top-posting and continuing the cross-posting ] Hi Brad, Thanks, yes earlier security review and feedback would be good. My preference is to use public-webapps (solely) for all discussions related to Web Components (WC). Re discussing security and WC f2f, I added a joint meeting between these two groups as a potential agenda topic for WebApps' April 25-26 f2f meeting [1] but I did not allocate a specific day+time slot because it could be a bit premature right now. That said, if you, or Dimitri, or other WC people have a specific day+time you would prefer, please speak up and note we intend to meet all day on the 25th but only until noon on the 26th. (Of course we can cancel the joint meeting if it turns out there is no need to meet.) I am happy to help facilitate this. Please let me know how I can help. :DG
Re: security model of Web Components, etc. - joint work with WebAppSec?
On Thu, Mar 14, 2013 at 7:10 AM, Hill, Brad bh...@paypal-inc.com wrote: Is there time available on the April F2F agenda for discussion of this? If not in WebApps, would relevant WG members be willing to join us if we found time to discuss in WebAppSec’s timeslot Thursday or Friday? http://www.w3.org/wiki/Webapps/April2013Meeting#Potential_Topics Shows agenda wide open so far. Should we just plop something into one of the slots? :DG
Re: security model of Web Components, etc. - joint work with WebAppSec?
On Thu, 14 Mar 2013 18:15:14 +0100, Dimitri Glazkov dglaz...@chromium.org wrote: On Thu, Mar 14, 2013 at 7:10 AM, Hill, Brad bh...@paypal-inc.com wrote: Is there time available on the April F2F agenda for discussion of this? If not in WebApps, would relevant WG members be willing to join us if we found time to discuss in WebAppSec’s timeslot Thursday or Friday? http://www.w3.org/wiki/Webapps/April2013Meeting#Potential_Topics Shows agenda wide open so far. Should we just plop something into one of the slots? Yep, that's a reasonable thing to do... cheers Chaals -- Charles McCathie Nevile - Consultant (web standards) CTO Office, Yandex cha...@yandex-team.ru Find more at http://yandex.com
Re: security model of Web Components, etc. - joint work with WebAppSec?
On Sat, Mar 9, 2013 at 4:36 AM, Arthur Barstow art.bars...@nokia.comwrote: [ Apology for top-posting and continuing the cross-posting ] Hi Brad, Thanks, yes earlier security review and feedback would be good. My preference is to use public-webapps (solely) for all discussions related to Web Components (WC). Re discussing security and WC f2f, I added a joint meeting between these two groups as a potential agenda topic for WebApps' April 25-26 f2f meeting [1] but I did not allocate a specific day+time slot because it could be a bit premature right now. That said, if you, or Dimitri, or other WC people have a specific day+time you would prefer, please speak up and note we intend to meet all day on the 25th but only until noon on the 26th. (Of course we can cancel the joint meeting if it turns out there is no need to meet.) I am happy to help facilitate this. Please let me know how I can help. :DG
Re: security model of Web Components, etc. - joint work with WebAppSec?
[ Apology for top-posting and continuing the cross-posting ] Hi Brad, Thanks, yes earlier security review and feedback would be good. My preference is to use public-webapps (solely) for all discussions related to Web Components (WC). Re discussing security and WC f2f, I added a joint meeting between these two groups as a potential agenda topic for WebApps' April 25-26 f2f meeting [1] but I did not allocate a specific day+time slot because it could be a bit premature right now. That said, if you, or Dimitri, or other WC people have a specific day+time you would prefer, please speak up and note we intend to meet all day on the 25th but only until noon on the 26th. (Of course we can cancel the joint meeting if it turns out there is no need to meet.) -Thanks, ArtB [1] http://www.w3.org/wiki/Webapps/April2013Meeting#Potential_Topics On 3/8/13 6:56 PM, ext Hill, Brad wrote: WebApps WG, I have been following with interest (though with less time to give it the attention I wish) the emergence of Web Components and related specifications. (HTML Templates, Shadow DOM, etc.) I wonder if it would be a good time to start discussing the security model jointly with the WebAppSec WG, both on list, and possibly at the upcoming F2F in April? One of our goals in WebAppSec is that a mashup web of re-usable and composable pieces be possible to do securely. An example anti-pattern in this area is the widely deployed script src=”someothersite.com/canOwnYou.js” pattern for things like analytics, social widgets and social login. This pattern makes the Web more brittle, such as the “Facebook broke the Internet” bug recently when a script error in Facebook Connect redirected a huge chunk of the Web to a Facebook error page. We security folks that work in both the web apps and PKI areas stay awake at night worrying about bad guys getting a certificate for Google Analytics or Omniture and XSS-ing 90% of the Web. I don’t see much in these specs or via a quick search of the list archives on the security models for the new Web Component and Shadow DOM type integration models when they involve foreign components. There is some level of isolation implied, but I hope there is interest in defining what, if any, the security guarantees of such are and how we might make this kind of composition more pleasant and useful than a sandboxed iframe, but still robust against errors or attacks such that popular components don’t become single points of failure for the entire Web. Thanks, Brad Hill Co-Chair, WebAppSec