[Bug 12888] the crossorigin attribute from bugzilla@jessica.w3.org on 2011-06-15 (public-html-bugzilla@w3.org from June 2011)

From: <bugzilla@jessica.w3.org>
Date: Wed, 15 Jun 2011 13:45:54 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1QWqPq-0004xV-3K@jessica.w3.org>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=12888

--- Comment #15 from Shelley Powers <shelleyp@burningbird.net> 2011-06-15 13:45:53 UTC ---
I agree completely with Julian. 

WebGL has some serious security problems, and this attribute would be nothing
more than a bandage, at most. Firefox made the correct decision with WebGL --
they've disabled remote access to image and other files. Even this doesn't
begin to address some of the more serious concerns about WebGL. 

This specification is as at Last Call. Folks from companies that rely on
WebKit, both Google and Apple, as well as WebKit folks directly, are groups
that participated in the poll to determine whether HTML5 was stable enough for
Last Call. From what I remember, all members of these companies/groups have
stated that, in their opinion, HTML5 was ready for Last Call. 

Unless I'm mistaken, a Last Call decision brings with it additional
responsibilities for both the group, and the editor.

I'm not a member of the HTML WG, but it seems to me if these groups now want to
withdraw their support for the stability of the HTML5 specification so that the
editor can add and remove new features at will, then reps from the groups
should address the HTML WG body and acknowledge their intent. That way folks
like me, who are faced with continuing chaos as we do the W3C the courtesy of
giving our attention to the specification the organization has asked us to
review, at least know to wait until the editor has stopped tossing things into
the document.

It seems to me that it would have been a simple matter for people to bring the
possibility of this change to the attention of the group before the change was
made. If this was so important, why did none of you do so? Was it so difficult
to submit a bug request, and maybe a follow up email to the group? Or to get
the WebGL group to do the _proper_ thing and have it submit requests to the
group during the Last Call process?

Whatever the reasons for not doing so, you didn't. So here we are. 

I continue with my request to ask that this change be reverted. Then, if folks
are interested, they can properly bring it up to the HTML WG, where it can get
the discussion it needs. An item that's related to security should be
especially reviewed by members, and yes, outsiders, too. You don't just toss in
whatever feels right, and hope it works.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Wednesday, 15 June 2011 13:45:55 UTC