Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
On Thu, Oct 21, 2010 at 2:39 PM, Cameron McCormack wrote: > Jonas Sicking: >> My gut reaction is to leave this out from the spec and not let WebIDL >> specify security aspects. > > Agreed. It’d be fine even for other specs (HTML5?) to define their own > security-related extended attributes to avoid writing prose that defines > when SECURITY_ERRs get thrown, but I don’t think the place to define > such an extended attribute is in Web IDL itself. Sounds good to me. / Jonas
Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
Jonas Sicking: > My gut reaction is to leave this out from the spec and not let WebIDL > specify security aspects. Agreed. It’d be fine even for other specs (HTML5?) to define their own security-related extended attributes to avoid writing prose that defines when SECURITY_ERRs get thrown, but I don’t think the place to define such an extended attribute is in Web IDL itself. -- Cameron McCormack ≝ http://mcc.id.au/
Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
On Thu, Oct 21, 2010 at 1:38 PM, Travis Leithead wrote: > For IE9, we've adopted this attribute as well [msDoNotCheckDomainSecurity] > > It has different meanings for different types of properites (fields vs. > accessors) and causes some proxies to be setup, but generally speaking it > does allow requests for the property to go through without an "access denied" > hard-stop. > > I'm not sure how far WebIDL should go toward specing the security aspects of > this attribute if it decides to include it. There are a lot of considerations > that IE had to put in place to ensure we were secure, and they are quite > varied depending on the scenario. > > My recommendation, if this attribute gets included into the WebIDL syntax, > would be merely to indicate what it's intended purpose is, and to leave a > general note about further security precautions that should be taken by an > implementation to avoid cross-domain problems (or something like that). > Starting down the road of defining all the possible attacks and mitigations > may not be the best route to take (for this spec anyway). My gut reaction is to leave this out from the spec and not let WebIDL specify security aspects. It seems fine for implementations to add their own extended attributes in their own internal IDL, this is something that we've done for gecko forever. To me, the purpose of WebIDL is to specify behavior at a central place, as well as establish common and recommended usage patterns, not for implementations to be able to copy the IDL into the implementation directly. In fact, implementations doesn't have to use IDL at all. / Jonas
RE: CfC: publish a new Working Draft of Web IDL; deadline October 18
For IE9, we've adopted this attribute as well [msDoNotCheckDomainSecurity] It has different meanings for different types of properites (fields vs. accessors) and causes some proxies to be setup, but generally speaking it does allow requests for the property to go through without an "access denied" hard-stop. I'm not sure how far WebIDL should go toward specing the security aspects of this attribute if it decides to include it. There are a lot of considerations that IE had to put in place to ensure we were secure, and they are quite varied depending on the scenario. My recommendation, if this attribute gets included into the WebIDL syntax, would be merely to indicate what it's intended purpose is, and to leave a general note about further security precautions that should be taken by an implementation to avoid cross-domain problems (or something like that). Starting down the road of defining all the possible attacks and mitigations may not be the best route to take (for this spec anyway). -Travis -Original Message- From: public-script-coord-requ...@w3.org [mailto:public-script-coord-requ...@w3.org] On Behalf Of Shiki Okasaka Sent: Monday, October 11, 2010 5:48 PM To: Shiki Okasaka; public-script-coord; public-webapps Subject: Re: CfC: publish a new Working Draft of Web IDL; deadline October 18 Thanks, Cameron. [DoNotCheckDomainSecurity] is one of the WebKit IDL's attributes, briefly described here: http://www.adambarth.com/papers/2009/barth-weinberger-song.pdf I think security related attributes like this would be very helpful, too. - Shiki 2010/10/12 Cameron McCormack : > -minus various people > > Shiki Okasaka: >> You've been missed, Cameron! >> >> Just a reminder, my wish list is here (this doesn't have to be >> reflected in the very next WD, though): >> >> http://lists.w3.org/Archives/Public/public-script-coord/2010JanMar/00 >> 03.html A signed 8 bit integer type has been required in WebGL. > > Thanks for pointing these out. I’ve made sure they all have issue > boxes in the spec. The one I can find the least information about is > [DoNotCheckDomainSecurity]. What are its requirements – just allow > property accesses that would normally be blocked because they are > cross origin? Is it something HTML5 would use? > > Thanks, > > Cameron > > -- > Cameron McCormack ≝ http://mcc.id.au/ >
Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
I support this as well. -Sam On Oct 11, 2010, at 8:59 AM, Jonas Sicking wrote: > Same here. > > On Monday, October 11, 2010, Anne van Kesteren wrote: >> On Mon, 11 Oct 2010 12:56:22 +0200, Arthur Barstow >> wrote: >> >> In case you didn't know, Cameron is back! And he wants to publish a new >> Working Draft of Web IDL since he says "I’ve finished porting across Web IDL >> to target ECMAScript 5th edition (modulo bugs of course!)": >> >> http://dev.w3.org/2006/webapi/WebIDL/ >> >> As such, this is a Call for Consensus to publish a new WD of Web IDL. If you >> have any comments or concerns about this proposal, please send them to >> public-webapps by October 18 at the latest. >> >> As with all of our CfCs, positive response is preferred and encouraged and >> silence will be assumed to be assent. >> >> >> Awesome, definitely support this! >> >> >> -- >> Anne van Kesteren >> http://annevankesteren.nl/ >> >> >
Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
On Oct/11/2010 6:56 AM, ext Arthur Barstow wrote: As with all of our CfCs, positive response is preferred and encouraged and silence will be assumed to be assent. Support!
Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
Thanks, Cameron. [DoNotCheckDomainSecurity] is one of the WebKit IDL's attributes, briefly described here: http://www.adambarth.com/papers/2009/barth-weinberger-song.pdf I think security related attributes like this would be very helpful, too. - Shiki 2010/10/12 Cameron McCormack : > -minus various people > > Shiki Okasaka: >> You've been missed, Cameron! >> >> Just a reminder, my wish list is here (this doesn't have to be >> reflected in the very next WD, though): >> >> http://lists.w3.org/Archives/Public/public-script-coord/2010JanMar/0003.html >> A signed 8 bit integer type has been required in WebGL. > > Thanks for pointing these out. I’ve made sure they all have issue boxes > in the spec. The one I can find the least information about is > [DoNotCheckDomainSecurity]. What are its requirements – just allow > property accesses that would normally be blocked because they are cross > origin? Is it something HTML5 would use? > > Thanks, > > Cameron > > -- > Cameron McCormack ≝ http://mcc.id.au/ >
Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
You've been missed, Cameron! Just a reminder, my wish list is here (this doesn't have to be reflected in the very next WD, though): http://lists.w3.org/Archives/Public/public-script-coord/2010JanMar/0003.html A signed 8 bit integer type has been required in WebGL. Best, - Shiki 2010/10/12 Jonas Sicking : > Same here. > > On Monday, October 11, 2010, Anne van Kesteren wrote: >> On Mon, 11 Oct 2010 12:56:22 +0200, Arthur Barstow >> wrote: >> >> In case you didn't know, Cameron is back! And he wants to publish a new >> Working Draft of Web IDL since he says "I’ve finished porting across Web IDL >> to target ECMAScript 5th edition (modulo bugs of course!)": >> >> http://dev.w3.org/2006/webapi/WebIDL/ >> >> As such, this is a Call for Consensus to publish a new WD of Web IDL. If you >> have any comments or concerns about this proposal, please send them to >> public-webapps by October 18 at the latest. >> >> As with all of our CfCs, positive response is preferred and encouraged and >> silence will be assumed to be assent. >> >> >> Awesome, definitely support this! >> >> >> -- >> Anne van Kesteren >> http://annevankesteren.nl/ >> >> > >
Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
-minus various people Shiki Okasaka: > You've been missed, Cameron! > > Just a reminder, my wish list is here (this doesn't have to be > reflected in the very next WD, though): > http://lists.w3.org/Archives/Public/public-script-coord/2010JanMar/0003.html > A signed 8 bit integer type has been required in WebGL. Thanks for pointing these out. I’ve made sure they all have issue boxes in the spec. The one I can find the least information about is [DoNotCheckDomainSecurity]. What are its requirements – just allow property accesses that would normally be blocked because they are cross origin? Is it something HTML5 would use? Thanks, Cameron -- Cameron McCormack ≝ http://mcc.id.au/
Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
Same here. On Monday, October 11, 2010, Anne van Kesteren wrote: > On Mon, 11 Oct 2010 12:56:22 +0200, Arthur Barstow > wrote: > > In case you didn't know, Cameron is back! And he wants to publish a new > Working Draft of Web IDL since he says "I’ve finished porting across Web IDL > to target ECMAScript 5th edition (modulo bugs of course!)": > > http://dev.w3.org/2006/webapi/WebIDL/ > > As such, this is a Call for Consensus to publish a new WD of Web IDL. If you > have any comments or concerns about this proposal, please send them to > public-webapps by October 18 at the latest. > > As with all of our CfCs, positive response is preferred and encouraged and > silence will be assumed to be assent. > > > Awesome, definitely support this! > > > -- > Anne van Kesteren > http://annevankesteren.nl/ > >
Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
On Mon, 11 Oct 2010 12:56:22 +0200, Arthur Barstow wrote: In case you didn't know, Cameron is back! And he wants to publish a new Working Draft of Web IDL since he says "I’ve finished porting across Web IDL to target ECMAScript 5th edition (modulo bugs of course!)": http://dev.w3.org/2006/webapi/WebIDL/ As such, this is a Call for Consensus to publish a new WD of Web IDL. If you have any comments or concerns about this proposal, please send them to public-webapps by October 18 at the latest. As with all of our CfCs, positive response is preferred and encouraged and silence will be assumed to be assent. Awesome, definitely support this! -- Anne van Kesteren http://annevankesteren.nl/
CfC: publish a new Working Draft of Web IDL; deadline October 18
Hi All, In case you didn't know, Cameron is back! And he wants to publish a new Working Draft of Web IDL since he says "I’ve finished porting across Web IDL to target ECMAScript 5th edition (modulo bugs of course!)": http://dev.w3.org/2006/webapi/WebIDL/ As such, this is a Call for Consensus to publish a new WD of Web IDL. If you have any comments or concerns about this proposal, please send them to public-webapps by October 18 at the latest. As with all of our CfCs, positive response is preferred and encouraged and silence will be assumed to be assent. -Art Barstow