RE: CfC: publish a new Working Draft of Web IDL; deadline October 18
For IE9, we've adopted this attribute as well [msDoNotCheckDomainSecurity] It has different meanings for different types of properites (fields vs. accessors) and causes some proxies to be setup, but generally speaking it does allow requests for the property to go through without an access denied hard-stop. I'm not sure how far WebIDL should go toward specing the security aspects of this attribute if it decides to include it. There are a lot of considerations that IE had to put in place to ensure we were secure, and they are quite varied depending on the scenario. My recommendation, if this attribute gets included into the WebIDL syntax, would be merely to indicate what it's intended purpose is, and to leave a general note about further security precautions that should be taken by an implementation to avoid cross-domain problems (or something like that). Starting down the road of defining all the possible attacks and mitigations may not be the best route to take (for this spec anyway). -Travis -Original Message- From: public-script-coord-requ...@w3.org [mailto:public-script-coord-requ...@w3.org] On Behalf Of Shiki Okasaka Sent: Monday, October 11, 2010 5:48 PM To: Shiki Okasaka; public-script-coord; public-webapps Subject: Re: CfC: publish a new Working Draft of Web IDL; deadline October 18 Thanks, Cameron. [DoNotCheckDomainSecurity] is one of the WebKit IDL's attributes, briefly described here: http://www.adambarth.com/papers/2009/barth-weinberger-song.pdf I think security related attributes like this would be very helpful, too. - Shiki 2010/10/12 Cameron McCormack c...@mcc.id.au: -minus various people Shiki Okasaka: You've been missed, Cameron! Just a reminder, my wish list is here (this doesn't have to be reflected in the very next WD, though): http://lists.w3.org/Archives/Public/public-script-coord/2010JanMar/00 03.html A signed 8 bit integer type has been required in WebGL. Thanks for pointing these out. I’ve made sure they all have issue boxes in the spec. The one I can find the least information about is [DoNotCheckDomainSecurity]. What are its requirements – just allow property accesses that would normally be blocked because they are cross origin? Is it something HTML5 would use? Thanks, Cameron -- Cameron McCormack ≝ http://mcc.id.au/
Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
On Thu, Oct 21, 2010 at 1:38 PM, Travis Leithead tra...@microsoft.com wrote: For IE9, we've adopted this attribute as well [msDoNotCheckDomainSecurity] It has different meanings for different types of properites (fields vs. accessors) and causes some proxies to be setup, but generally speaking it does allow requests for the property to go through without an access denied hard-stop. I'm not sure how far WebIDL should go toward specing the security aspects of this attribute if it decides to include it. There are a lot of considerations that IE had to put in place to ensure we were secure, and they are quite varied depending on the scenario. My recommendation, if this attribute gets included into the WebIDL syntax, would be merely to indicate what it's intended purpose is, and to leave a general note about further security precautions that should be taken by an implementation to avoid cross-domain problems (or something like that). Starting down the road of defining all the possible attacks and mitigations may not be the best route to take (for this spec anyway). My gut reaction is to leave this out from the spec and not let WebIDL specify security aspects. It seems fine for implementations to add their own extended attributes in their own internal IDL, this is something that we've done for gecko forever. To me, the purpose of WebIDL is to specify behavior at a central place, as well as establish common and recommended usage patterns, not for implementations to be able to copy the IDL into the implementation directly. In fact, implementations doesn't have to use IDL at all. / Jonas
Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
Jonas Sicking: My gut reaction is to leave this out from the spec and not let WebIDL specify security aspects. Agreed. It’d be fine even for other specs (HTML5?) to define their own security-related extended attributes to avoid writing prose that defines when SECURITY_ERRs get thrown, but I don’t think the place to define such an extended attribute is in Web IDL itself. -- Cameron McCormack ≝ http://mcc.id.au/
Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
On Thu, Oct 21, 2010 at 2:39 PM, Cameron McCormack c...@mcc.id.au wrote: Jonas Sicking: My gut reaction is to leave this out from the spec and not let WebIDL specify security aspects. Agreed. It’d be fine even for other specs (HTML5?) to define their own security-related extended attributes to avoid writing prose that defines when SECURITY_ERRs get thrown, but I don’t think the place to define such an extended attribute is in Web IDL itself. Sounds good to me. / Jonas
Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
I support this as well. -Sam On Oct 11, 2010, at 8:59 AM, Jonas Sicking wrote: Same here. On Monday, October 11, 2010, Anne van Kesteren ann...@opera.com wrote: On Mon, 11 Oct 2010 12:56:22 +0200, Arthur Barstow art.bars...@nokia.com wrote: In case you didn't know, Cameron is back! And he wants to publish a new Working Draft of Web IDL since he says I’ve finished porting across Web IDL to target ECMAScript 5th edition (modulo bugs of course!): http://dev.w3.org/2006/webapi/WebIDL/ As such, this is a Call for Consensus to publish a new WD of Web IDL. If you have any comments or concerns about this proposal, please send them to public-webapps by October 18 at the latest. As with all of our CfCs, positive response is preferred and encouraged and silence will be assumed to be assent. Awesome, definitely support this! -- Anne van Kesteren http://annevankesteren.nl/
Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
Thanks, Cameron. [DoNotCheckDomainSecurity] is one of the WebKit IDL's attributes, briefly described here: http://www.adambarth.com/papers/2009/barth-weinberger-song.pdf I think security related attributes like this would be very helpful, too. - Shiki 2010/10/12 Cameron McCormack c...@mcc.id.au: -minus various people Shiki Okasaka: You've been missed, Cameron! Just a reminder, my wish list is here (this doesn't have to be reflected in the very next WD, though): http://lists.w3.org/Archives/Public/public-script-coord/2010JanMar/0003.html A signed 8 bit integer type has been required in WebGL. Thanks for pointing these out. I’ve made sure they all have issue boxes in the spec. The one I can find the least information about is [DoNotCheckDomainSecurity]. What are its requirements – just allow property accesses that would normally be blocked because they are cross origin? Is it something HTML5 would use? Thanks, Cameron -- Cameron McCormack ≝ http://mcc.id.au/
Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
You've been missed, Cameron! Just a reminder, my wish list is here (this doesn't have to be reflected in the very next WD, though): http://lists.w3.org/Archives/Public/public-script-coord/2010JanMar/0003.html A signed 8 bit integer type has been required in WebGL. Best, - Shiki 2010/10/12 Jonas Sicking jo...@sicking.cc: Same here. On Monday, October 11, 2010, Anne van Kesteren ann...@opera.com wrote: On Mon, 11 Oct 2010 12:56:22 +0200, Arthur Barstow art.bars...@nokia.com wrote: In case you didn't know, Cameron is back! And he wants to publish a new Working Draft of Web IDL since he says I’ve finished porting across Web IDL to target ECMAScript 5th edition (modulo bugs of course!): http://dev.w3.org/2006/webapi/WebIDL/ As such, this is a Call for Consensus to publish a new WD of Web IDL. If you have any comments or concerns about this proposal, please send them to public-webapps by October 18 at the latest. As with all of our CfCs, positive response is preferred and encouraged and silence will be assumed to be assent. Awesome, definitely support this! -- Anne van Kesteren http://annevankesteren.nl/
CfC: publish a new Working Draft of Web IDL; deadline October 18
Hi All, In case you didn't know, Cameron is back! And he wants to publish a new Working Draft of Web IDL since he says I’ve finished porting across Web IDL to target ECMAScript 5th edition (modulo bugs of course!): http://dev.w3.org/2006/webapi/WebIDL/ As such, this is a Call for Consensus to publish a new WD of Web IDL. If you have any comments or concerns about this proposal, please send them to public-webapps by October 18 at the latest. As with all of our CfCs, positive response is preferred and encouraged and silence will be assumed to be assent. -Art Barstow
Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
On Mon, 11 Oct 2010 12:56:22 +0200, Arthur Barstow art.bars...@nokia.com wrote: In case you didn't know, Cameron is back! And he wants to publish a new Working Draft of Web IDL since he says I’ve finished porting across Web IDL to target ECMAScript 5th edition (modulo bugs of course!): http://dev.w3.org/2006/webapi/WebIDL/ As such, this is a Call for Consensus to publish a new WD of Web IDL. If you have any comments or concerns about this proposal, please send them to public-webapps by October 18 at the latest. As with all of our CfCs, positive response is preferred and encouraged and silence will be assumed to be assent. Awesome, definitely support this! -- Anne van Kesteren http://annevankesteren.nl/
Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
Same here. On Monday, October 11, 2010, Anne van Kesteren ann...@opera.com wrote: On Mon, 11 Oct 2010 12:56:22 +0200, Arthur Barstow art.bars...@nokia.com wrote: In case you didn't know, Cameron is back! And he wants to publish a new Working Draft of Web IDL since he says I’ve finished porting across Web IDL to target ECMAScript 5th edition (modulo bugs of course!): http://dev.w3.org/2006/webapi/WebIDL/ As such, this is a Call for Consensus to publish a new WD of Web IDL. If you have any comments or concerns about this proposal, please send them to public-webapps by October 18 at the latest. As with all of our CfCs, positive response is preferred and encouraged and silence will be assumed to be assent. Awesome, definitely support this! -- Anne van Kesteren http://annevankesteren.nl/
Re: CfC: publish a new Working Draft of Web IDL; deadline October 18
-minus various people Shiki Okasaka: You've been missed, Cameron! Just a reminder, my wish list is here (this doesn't have to be reflected in the very next WD, though): http://lists.w3.org/Archives/Public/public-script-coord/2010JanMar/0003.html A signed 8 bit integer type has been required in WebGL. Thanks for pointing these out. I’ve made sure they all have issue boxes in the spec. The one I can find the least information about is [DoNotCheckDomainSecurity]. What are its requirements – just allow property accesses that would normally be blocked because they are cross origin? Is it something HTML5 would use? Thanks, Cameron -- Cameron McCormack ≝ http://mcc.id.au/