Skip to toolbar

Community & Business Groups

Misconception: Widgets lack a security model

Another ungrounded misconception is that widgets lack a security model.

Widgets, like most things “Web”, rely on the same-origin security model defined in HTML5. However, because the HTML same-origin policy is quite liberal and prone to cross-site scripting attacks, the Working Group also defined an optional security model for widgets called the Widget Access Request Policy (WARP).

WARP allows developers to declare up front which websites they are going to be communicating with, so the engine can block communication with websites that are not listed by the author.

By default, Widget engines that implement WARP will not allow widgets to access content on the Web (i.e., they have no ability to access anything on the network). So, if a widget tries to access an image on the Web, the widget runtime won’t allow it:

<!doctype html>
<!-- this will fail by default -->
<img src="http://w3.org/logo.gif">

To overcome this default policy restriction, an author needs to declare what domains on the Web a widget will access. For example, if a widget needs to access the an image on “w3.org”, the author makes a WARP declaration in the configuration document (config.xml) of a widget like so:

<widget xmlns="http://www.w3.org/ns/widgets">
<!-- Gimme access to W3C resources -->
<access origin="http://w3.org"/>
</widget>

Having declared an access request, the widget engine will now allow the image to be loaded from the domain w3.org:

<!doctype html>
<!-- the user agent grants access to w3.org! -->
<img src="http://w3.org/logo.gif">

If at runtime, the widget tries to access foo.com, the widget engine blocks that access because it violates the access request policy.

<!doctype html>
<!--
this will fail: foo.com not in declared in config.xml
-->
<img src="http://foo.com/hello.gif">

The WARP declaration can be used to do other useful things also. For instance, when the user installs a widget, the widget engine can tell the end-user which domains the widget may try to contact. Opera extensions partially do this, for instance.

It should be said that this misconception around if widgets have a security model or not is quite humorous. It’s funny because, for anyone that has followed the widget work for a while knows, it’s the thing that Apple disclosed and excluded patents from the W3C’s royalty free commitment. Apple holds an extensive, and somewhat questionable, patent portfolio around Widgets and what they term “Widget Security”.

Currently, the W3C Widgets PAG working towards towards finding prior art and working around Apple’s patents. The patent’s are pretty groundless (thanks again US Patent office!), so should be fairly trivial.  If you know of some prior art that can help bust Apple’s patents around widgets, please leave a comment. All help is greatly appreciated.

Leave a Reply

Your email address will not be published. Required fields are marked *

Before you comment here, note that this forum is moderated and your IP address is sent to Akismet, the plugin we use to mitigate spam comments.

*