/2010AprJun/0465.html
-Art Barstow
** From: w...@adambarth.com
Subject: Re: [widgets] API - openURL security considerations
Date: May 10, 2010 12:15:38 PM EDT
It's lame that we're using a blacklist instead of a whitelist here.
Also this recommendation is somewhat useless
are all of the responses, starting with the oldest.
The last Public response to this thread is:
http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0465.html
-Art Barstow
** From: w...@adambarth.com
Subject: Re: [widgets] API - openURL security considerations
Date: May 10
-webapps/2010AprJun/0465.html
-Art Barstow
** From: w...@adambarth.com
Subject: Re: [widgets] API - openURL security considerations
Date: May 10, 2010 12:15:38 PM EDT
It's lame that we're using a blacklist instead of a whitelist here.
Also this recommendation is somewhat useless
On 4 May 2010, at 14:10, Marcos Caceres wrote:
Right. I have clarified this:
[[
A user agent must not navigate the browsing context of a widget
instance through the openURL() method: the concept of navigate is
defined in [HTML5]. This restriction is imposed so an arbitrary web
site cannot
On 18 Feb 2010, at 21:52, Arve Bersvendsen wrote:
On Thu, 18 Feb 2010 22:09:00 +0100, Scott Wilson scott.bradley.wil...@gmail.com
wrote:
Hi both,
Apache Wookie (incubating) currently implements the widget.openURL
method by directly calling the browser's window.open() function - in
this
That depends on what security context the browser thinkings you're
running in. In general, you need to understand the security
implications of each API, regardless of how you implement them.
Adam
On Thu, Feb 18, 2010 at 1:09 PM, Scott Wilson
scott.bradley.wil...@gmail.com wrote:
Hi both,
Marcos,
first of all, kudos for thinking about security considerations for this method.
I'm glad you're considering factors like interaction flooding and tons of
windows opening.
Reviewing the spec text:
http://www.w3.org/TR/2009/CR-widgets-apis-20091222/#the-openurl-method
... I wonder
Hi both,
Apache Wookie (incubating) currently implements the widget.openURL
method by directly calling the browser's window.open() function - in
this example is there anything particularly special about the fact its
being called by a widget? Should our implementation do anything extra,
On Thu, 18 Feb 2010 22:09:00 +0100, Scott Wilson
scott.bradley.wil...@gmail.com wrote:
Hi both,
Apache Wookie (incubating) currently implements the widget.openURL
method by directly calling the browser's window.open() function - in
this example is there anything particularly special about
On Mon, Feb 8, 2010 at 6:36 PM, Marcos Caceres marc...@opera.com wrote:
At Opera we've been discussing some of the security implications around the
openURL method in the widgets API spec. We think the spec might benefit if
we were to add a non-normative security consideration section for
What about being about to link to file:// URLs? You probably want to
ban that. Also, have you considered what happens if you put a
JavaScript URL or a Data URL into openURL?
Adam
On Mon, Feb 8, 2010 at 8:36 AM, Marcos Caceres marc...@opera.com wrote:
At Opera we've been discussing some of
11 matches
Mail list logo
