Re: DAP and security (was: Rename "File API" to "FileReader API"?)

On Thu, Nov 19, 2009 at 10:08 PM, Marcin Hanclik <
Marcin.Hanclik@access-company.com> wrote:

> The default settings within a browser could e.g. disable directory walking
> and file writing. But if the user changes the settings (and is warned about
> the potential security risks when switching some protection off), then it is
> up to the user and she/he takes over the responsibility.
>

This model generally does not work on the Web. Few users understand settings
or potential security risks and even fewer care. Lots of studies have shown
this (e.g. see
http://groups.csail.mit.edu/uid/projects/phishing/chi-security-toolbar.pdf).
Forcing users to make decisions they do not want to make or cannot make is a
failure.

The abstraction of the security concerns within a policy may allow
> delegation of the security to some third parties.
>

There are usually no third parties to delegate to. If you're mainly
concerned with intranet applications, you might be able to delegate to
corporate administrators, but you probably want to avoid that too.

Rob
-- 
"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah
53:5-6]

Received on Thursday, 19 November 2009 09:40:32 UTC