Web Applications Blog

New security model for widgets, Opera 10 and network="public"

By Hans S. TømmerholtFor_d. Wednesday, January 14, 2009 1:47:58 PM

, ,

For Opera 10, we're introducing a new security model which among other things means that widgets don't have network access on by default. In order to enable network access for non-intranet sites, add a network attribute to the widget element in the config.xml of your widget with the value public.

<widget network="public">
...
</widget>


This will make your widget work as intended in Opera 10, but will not affect previous versions. Older browsers will simply ignore the network attribute and give your widget access as per the existing security model. We'll update the documentation with more details as we get closer to a release of Opera 10.

Note that this affects http://widgets.opera.com. If you submit a widget to us without the network attribute, the widget will probably not work in Opera 10. Consequently, your widget will not be approved for that version, and wont show up in the lists of widgets when people browse the site.

Slides from EuroPython08

Comments

Aux Wednesday, January 14, 2009 2:06:23 PM

Will widgets be able to send XMLHTTPRequests to HTTPS? I'm currently working on one project which requires secured login. Inability to work with HTTPS will cause a lot of trouble for me...

Aux Wednesday, January 14, 2009 2:09:55 PM

Another question is about Server Sent Events. Basically I'm working on a mupliplayer game running in a widget. There is one domain (if future may be multiply) and three ports: HTTP for insecure data (XHR access), HTTPS for logging in and other sensitive stuff (XHR access) and one for SSE. Will this combination work smoothly?

Hans S. TømmerholtFor_d Wednesday, January 14, 2009 3:25:31 PM

You must enable access to any protocols other than http by adding this to the security section of the widget's config.xml.

http://dev.opera.com/articles/view/opera-widgets-security-model/

In the new model, https will be allowed as a protocol by default.

Aux Wednesday, January 14, 2009 3:34:48 PM

OK, thanks!

mabdul Wednesday, January 14, 2009 3:51:33 PM

Why giving the widget only access to the local part? for what is this good for? I mean if the author want something bad... that makes no sence for ME. can you explain it a bit more?

Hans S. TømmerholtFor_d Thursday, January 15, 2009 12:01:53 PM

@mabdul: I'm not sure I understand the question. If you don't specify anything in the network attribute, or omit it, your widget will have -no- network access. Local or otherwise.

mabdul Thursday, January 15, 2009 4:59:41 PM

and for what is that? if soembody want that the widget have access, he will uild taht into, if this shouldn't, the widget won't do it (and the widget won't do this also, because nothing is build into that sends data)

so what for is that?
I mean i hope you understand me: if the developer want the access he get the access, if he doesn't want, he won't build anything in...

_Grey_ Thursday, January 15, 2009 8:12:24 PM

@mabdul: My guess would be that widgets are harder to exploit if less widgets have 'useless' privileges, thus reducing the attack surface. Still, I'm not sure and I'd like to see an explanation from an expert, as well.

Hans S. TømmerholtFor_d Friday, January 16, 2009 11:26:02 AM

First of all: There are use cases for widgets without network access. Storing different kinds of notes, clocks, games, etc.

The reason for the change is primarily to align ourselves better with the W3C, which are using an opt-in network model in their upcomming widgets spec.

Then, yes, the idea is to remove unnecessary access from those widgets that don't actually require it, reducing the risks from exploiting errors in these widgets. More so than trying to stop harmful widgets. The idea is that by requiring users to write network="public" to actually get access, devs will be lazy when they don't actually want that and omit it.

The change in architecture also allows us to develop some features down the line, which we'll get back to.

][ePyBuM Saturday, July 24, 2010 5:29:32 AM

Added network="public" to widget element, but I still get access is denied to other domains.

Spadar ShutSpShut Saturday, August 7, 2010 11:51:00 PM

Could you tell me if I can enable the mountpoint protocol?

In my widget I mount a directory and embed svg images from it, but widget won't let me access their dom, throwing security exceptions. So is there a way o add the mounted directory to the trusted sites/protocols?

John Ngugingugs Saturday, July 30, 2011 7:21:11 AM

Hi, can someone at Opera please explain a clear and simple widget that can access a web page,for example,my.opera.com, and display it on a screen. I have tried going through all the sample widgets available on the sdk folder but they're just too advanced with no explanation. Some of us are just lost in claims on this site about how widgets can even scrap the Internet for data but we don't how that is done. PLEASE PLEASE HELP!

Write a comment

New comments have been disabled for this post.