W3C home > Mailing lists > Public > public-device-apis@w3.org > November 2009

Re: Security evaluation of an example DAP policy

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 19 Nov 2009 16:26:15 -0800
Cc: Marcin Hanclik <Marcin.Hanclik@access-company.com>, Adam Barth <w3c@adambarth.com>, Robin Berjon <robin@berjon.com>, "public-device-apis@w3.org" <public-device-apis@w3.org>, public-webapps WG <public-webapps@w3.org>
Message-id: <5F691640-7000-4F86-B1B0-B81CF480A028@apple.com>
To: Jonas Sicking <jonas@sicking.cc>

On Nov 19, 2009, at 4:23 PM, Jonas Sicking wrote:

> On Thu, Nov 19, 2009 at 4:07 PM, Marcin Hanclik
> <Marcin.Hanclik@access-company.com> wrote:
>> Hi Adam,
>> I think that
>> <resource-match attr="param:name" func="regexp">/(C|c):\\(.+)\\(.+)/ 
>> <resource-match />
>> should be
>> <resource-match attr="param:name" func="regexp">/(C|c):\\([^\\]+)\\. 
>> +/<resource-match />
>> up to any further bug in the RE.
>> Sorry, my problem.
>> Anyway, the general comment is that the use case is under control  
>> based on the current spec.
> For what it's worth, I think any API that opened a dialog asking the
> user "Do you want to give website X access to directory Y in your file
> system" would not be an API we'd be willing to implement in firefox.
> I.e. our security policy would be to always deny such a request (thus
> making implementing the API useless for our users).

Ditto for Safari.

  - Maciej
Received on Friday, 20 November 2009 00:26:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:14:01 GMT