W3C home > Mailing lists > Public > public-device-apis@w3.org > November 2009

Re: Security evaluation of an example DAP policy

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 19 Nov 2009 17:03:38 -0800
Message-ID: <63df84f0911191703y361610abg3df6e24d8ee9ba3a@mail.gmail.com>
To: Marcin Hanclik <Marcin.Hanclik@access-company.com>
Cc: Maciej Stachowiak <mjs@apple.com>, Adam Barth <w3c@adambarth.com>, Robin Berjon <robin@berjon.com>, "public-device-apis@w3.org" <public-device-apis@w3.org>, public-webapps WG <public-webapps@w3.org>
On Thu, Nov 19, 2009 at 4:49 PM, Marcin Hanclik
<Marcin.Hanclik@access-company.com> wrote:
> Hi Jonas, Maciej,
>
> It seems that the policy that you would accept would be:
>
> <policy-set combine="deny-overrides">
>  <policy description="Default Policy for websites. Simply denying all API that are covered by some device capability:) ">
>   <target>
>     <subject>
>       <subject-match attr="class" match="website" func="equal"/>
>     </subject>
>   </target>
>   <rule effect="deny">
>     <condition>
>       <resource-match attr="device-cap" func="regexp">/.+/</resource-match>
>     </condition>
>   </rule>
>  </policy>
> </policy-set>
>
> Let's see how DAP will evolve then.

Given that I don't know the specifics about this policy format I can't
comment on the above policy specifically. However I will note that the
security experts at Mozilla did agree that opening a non-modal dialog
asking for access to geo-location was considered acceptable, as I
noted in a previous email. I don't know what effect that has on the
above policy.

I don't know what policy other browsers have used in this area.

/ Jonas
Received on Friday, 20 November 2009 01:04:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:14:01 GMT