WARP, "Widgets Security" Terms, and Prior Art


What is WARP?

By default, Widgets run locally on a computer and cannot access content on the Web (i.e., they have no ability to access anything on the network). So, if widget tries to access an image on the Web, the widget runtime won't allow it by default:

<!doctype html>
<!-- this will fail by default -->
<img src="http://w3.org/logo.gif">

To overcome this security restriction, the Working Group created the Widget Access Request Policy (WARP). WARP provides authors with a declarative means to say what domains on the Web a widget will access. For example, if a widget needs to access an image on "w3.org", the author makes a WARP declaration in the configuration document of a widget:

<widget xmlns="http://www.w3.org/ns/widgets">
  <!-- Gimme access to W3C resources -->
  <access origin="http://w3.org"/>
</widget> 

Having declared an access request, the widget engine will now allow the image to be loaded from the domain w3.org:

<!doctype html>
<!-- the user agent grants access to w3.org! -->
<img src="http://w3.org/logo.gif">

If at runtime, the widget tries to access foo.com, that access is blocked by the widget engine.

 <!doctype html>
 <!-- this will fail -->
 <img src="http://foo.com/hello.gif">
  

So, the widget manager uses WARP declarations to decide whether to grant access to networked resources.

The WARP declaration can be used to do other useful things also. For instance, when the user installs a widget, the widget engine can tell the end-user which domains the widget may try to contact.

So, effectively, WARP shares similariteis with Network Access Control Lists - particularly in setting who/what can access resources on the Web.

Software that use Network Access Control Lists

XACML

The XACML specification, which became an OASIS Standard on 18 February 2003, is used for creating security policies using XML..

Rigo to desc

CISCO Firewalls

Retrived from Web Archive  Jun 23, 2004 , and see also Web Archive October 2002.

Just like WARP, CISCO's access control lists (ACLs) can be used to control what resources something can access. Instead of operating at the DNS level, it operates at the IP level:

access-list acl_permit permit ip 192.168.32.0 0.0.7.255

The above is used to permis access to all addresses in 192.168.32.?? range.

These access lists can be grouped together, and then be allowed access to particular types of resources (e.g., resources over HTTP, denoted by www below):

access-list 102 permit tcp any any eq www

Hence, they provide similar functionality to WARP but on a larger scale (i.e., on computers or on routers).

Netscape: Configurable Security Policies

Web Archive, 11 Apr 2000.

In terms of security manager operating on requests to network resources, as early as 2000, Netscape navigator introduced Configurable Security Policies:

This is the idea that users should be able to set up security policies for their browsers, and also have different security policies for different internet sites

Much like WARP, these were stored in a text file and allowed a user control over what Websites could/could not do (e.g., a site could be blocked from loading or performing particular actions). In the following example, two websites are blocked from opening popups.

pref("security.policy.strict.sites","http://www.evil.org http://www.annoying.com");  
pref("security.policy.strict.window.open", "noAccess"); 

Claims, Identifying key words

The purpose of the claims chart below is to identify key terms in the patent's claim. The intent is to show where differences in meaning between W3C Widget terminology and terminology in the patent. This is to enable the contruction of a claims dictionary.

CLAIMS Terms
1. A widget security method, comprising: detecting a security event associated with a widget; generating data indicative of the security event; processing the data to determine a risk level associated with the detected security event, where the risk level is determined by an action selected from a group of actions consisting of reviewing information associated with the widget, comparing widget information with a user profile, and examining programming code associated with the widget; initiating a security action based on the risk level, where the detecting, generating, processing and initiating are performed by one or more processors of a hardware device. 
  • Widget security method
  • Security event
  • Widget
  • Data
  • Risk level
  • (group of) (security) action
  • processor
  • user profile
2. The method of claim 1, wherein detecting includes detecting unauthorized access to resources
  • Resource
3. The method of claim 1, wherein detecting includes detecting unauthorized access to content
  • Content
4. The method of claim 1, wherein processing the data to determine a risk level associated with the detected security event includes: identifying risks based on characteristics of the event and one or more policies associated with the event; and identifying a risk based on the results of the comparison. 
  • policy
5. The method of claim 1, wherein processing the data to determine a risk level associated with the detected security event includes: monitoring widget activity; and identifying a risk based on the activity. 
  • monitoring widget activity
6. The method of claim 5, wherein monitoring widget activity includes logging widget activity
  • loggin widget activity
7. The method of claim 1, wherein processing the data to determine a risk level associated with the detected security event includes: retrieving a list of widgets; determining if the widget is on the list; and assessing risk associated with the widget based on whether the widget is included on the list  
8. The method of claim 1, wherein performing a security action includes: informing a user about the security risk; requesting a response from the user; selecting a security action based on the response; and initiating the selected security action. 
 
9. The method of claim 1, wherein performing a security action is selected from a group of security actions including at least one of disabling the widget, notifying the user of the security event, or changing resource access rights associated with the widget. 
 

10. A computer-readable medium having instructions stored thereon, which, when executed by a processor in a widget security system, causes the processor to perform the operations of:

  • detecting a security event associated with a widget;
  • determining a risk level associated with the detected security event, where the risk level is determined by an action selected from a group of actions consisting of reviewing information associated with the widget, comparing widget information with a user profile, and examining programming code associated with the widget; and performing a security action based on the risk level. 
  • computer readable medium
11. The computer-readable medium of claim 10, wherein detecting includes detecting unauthorized access to resources.   
12. The computer-readable medium of claim 10, wherein detecting includes detecting unauthorized access to content.   
13. The computer-readable medium of claim 10, wherein processing the data to determine a risk level associated with the detected security event includes: identifying risks based on characteristics of the event and one or more policies associated with the event; and identifying a risk based on the results of the comparison.   
14. The computer-readable medium of claim 10, wherein processing the data to determine a risk level associated with the detected security event includes: monitoring widget activity; and identifying a risk based on the activity.   
15. The computer-readable medium of claim 14, wherein monitoring widget activity includes logging widget activity.   
16. The computer-readable medium of claim 10, wherein processing the data to determine a risk level associated with the detected security event includes: retrieving a list of widgets; determining if the widget is on the list; and assessing risk associated with the widget based on whether the widget is included on the list.  
17. The computer-readable medium of claim 10, wherein performing a security action includes: informing a user about the security risk; requesting a response from the user; selecting a security action based on the response; and initiating the selected security action.   
18. The computer-readable medium of claim 10, wherein performing a security action is selected from a group of security actions including at least one of disabling the widget, notifying the user of the security event, or changing resource access rights associated with the widget.   

19. A widget security system, comprising:

  • a widget security manager configured for detecting a security event associated with a widget;
  • a security module coupled to the widget security manager and configured for determining a risk level associated with the detected security event, where the risk level is determined by an action selected from a group of actions consisting of reviewing information associated with the widget, comparing widget information with a user profile, and examining programming code associated with the widget;
  • and a security action manager coupled to the widget security manager and configured for initiating a security action based on the assessed risk.
 

Typology of Claim Terms

Typology of Claim Terms
Term Synonyms Lay Term at time of filing (Oct 2005) and after   Technical Term
Widget Gadgets, Desktets