- From: <bugzilla@jessica.w3.org>
- Date: Thu, 16 Oct 2014 16:28:48 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332 --- Comment #89 from Joe Steele <steele@adobe.com> --- (In reply to Mark Watson from comment #86) > We could even simply strengthen our security requirements by enumerating the > issues and mitigations (including but not limited to secure origins) and > requiring that implementations MUST address these: this would already be > more than the rest of the web platform - any implementation could have > buffer overrun vulnerabilities, for example, and we do not specify how > browsers should address this security aspect - we just assume that they do. I agree. I think if we specify mechanisms rather than specifying outcomes, we will not end up with the outcomes we want. There is no consensus that the mechanism proposed (SSL/TLS) will address the concerns completely, or that this is the only mechanism that can address the concerns. We have a list of possible attacks and proposed mitigations. I think we would promote better user privacy and better security by adding this information to the spec, normatively if possible. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Thursday, 16 October 2014 16:28:53 UTC