[ Apology for top-posting and continuing the cross-posting ]
Hi Brad,
Thanks, yes earlier security review and feedback would be good.
My preference is to use public-webapps (solely) for all discussions
related to Web Components (WC).
Re discussing security and WC f2f, I added a joint meeting between these
two groups as a potential agenda topic for WebApps' April 25-26 f2f
meeting [1] but I did not allocate a specific day+time slot because it
could be a bit premature right now. That said, if you, or Dimitri, or
other WC people have a specific day+time you would prefer, please speak
up and note we intend to meet all day on the 25th but only until noon on
the 26th. (Of course we can cancel the joint meeting if it turns out
there is no need to meet.)
-Thanks, ArtB
[1] <http://www.w3.org/wiki/Webapps/April2013Meeting#Potential_Topics>
On 3/8/13 6:56 PM, ext Hill, Brad wrote:
WebApps WG,
I have been following with interest (though with less time to give it
the attention I wish) the emergence of Web Components and related
specifications. (HTML Templates, Shadow DOM, etc.)
I wonder if it would be a good time to start discussing the security
model jointly with the WebAppSec WG, both on list, and possibly at the
upcoming F2F in April?
One of our goals in WebAppSec is that a mashup web of re-usable and
composable pieces be possible to do securely. An example anti-pattern
in this area is the widely deployed <script
src=”someothersite.com/canOwnYou.js”> pattern for things like
analytics, social widgets and social login. This pattern makes the Web
more brittle, such as the “Facebook broke the Internet” bug recently
when a script error in Facebook Connect redirected a huge chunk of the
Web to a Facebook error page. We security folks that work in both the
web apps and PKI areas stay awake at night worrying about bad guys
getting a certificate for Google Analytics or Omniture and XSS-ing 90%
of the Web.
I don’t see much in these specs or via a quick search of the list
archives on the security models for the new Web Component and Shadow
DOM type integration models when they involve foreign components.
There is some level of isolation implied, but I hope there is interest
in defining what, if any, the security guarantees of such are and how
we might make this kind of composition more pleasant and useful than a
sandboxed iframe, but still robust against errors or attacks such that
popular components don’t become single points of failure for the
entire Web.
Thanks,
Brad Hill
Co-Chair, WebAppSec