- From: Shelley Powers <shelley.just@gmail.com>
- Date: Mon, 25 Jan 2010 09:28:42 -0600
- To: "Tab Atkins Jr." <jackalmage@gmail.com>
- Cc: Maciej Stachowiak <mjs@apple.com>, Lars Gunther <gunther@keryx.se>, "public-html@w3.org WG" <public-html@w3.org>
- Message-ID: <643cc0271001250728q542a41d7ie18a7085ae4a6406@mail.gmail.com>
On Mon, Jan 25, 2010 at 9:20 AM, Tab Atkins Jr. <jackalmage@gmail.com>wrote: > On Mon, Jan 25, 2010 at 9:07 AM, Shelley Powers <shelley.just@gmail.com> > wrote: > > So, what you're saying is that this change really won't do much when it > > comes to weblog comments? > > I said nothing of the sort. Please don't be disingenuous when > interpreting comments. Your list of issues contained: > • 2 issues that have nothing to do with displaying untrusted content, > and thus are completely irrelevant to the discussion > • 2 issues about blocking particular types of elements, which may be > possible with @sandbox if it's argued persuasively that it would be > worthwhile > • 1 issue about XHTML that would be great to fix, but the XHTML > community has continually had major pushback on whenever browsers have > wanted to fix it (it's not a problem for HTML pages) > • 1 reasonable question that I answered, but which doesn't have any > direct relevance on @sandbox > • 1 reasonable concern that didn't take into account relevant > information, which I corrected > > So, there are some areas where we could possibly add more protection > with @sandbox. None of your issues touched on the important areas > that @sandbox already *does* cover, though. In other words, please > don't think of your list as exhaustive. Most it wasn't relevant to > @sandbox at all, and the parts that were relevant only addressed > particular use-cases, which is far from enough to declare that > @sandbox "won't do much". > > > No, I'm still talking about srcdoc, since that was the change that Ian > > added, and the use case Ian provided was weblog comments. If the > discussion > > indirectly impacts on sandbox, and the only reason for the sandbox > attribute > > was weblog comments, then we can discuss that one, too. > > But you're *not* talking about @srcdoc. Not a single thing in your > last few emails concerned @srcdoc at all. You're talking entirely > about @sandbox. > > Do you have any specific concerns about @srcdoc? It would be good to > hear them instead, so you don't accidentally file a bug to remove > @srcdoc and cite only problems you have with @sandbox instead. It > would be nice if all bugs filed were over relevant and topical > concerns. > > ~TJ > I'm not being disingenuous. And I ask you to remember to be civil in responding to me. I also ask that you stop dictating how and in what way I can bring up concerns. When Ian proposed this change, he specifically focused it at weblog comments. I know comments, and the problems comment systems have. And in point of fact, there is nothing in Ian's example or discussion that relates to comment security. So I am trying to understand the purpose of this change, and who Ian perceives to be the customer for this change. These are appropriate questions to ask: we can not determine the technical merit of a solution unless we have an understanding of all the particulars. Adam now has stated this change wasn't to do with comments, but ads. Or not only to do with comments, but also to do with ads. That is an entirely different thing: different customers, different uses, different concerns, different technical challenges. I'm hoping he (Adam) will link the relevant discussions from the WhatWG group here, so we can then look at Ian's solution in context of how it is to be used, it's customers, their expectations, and the technical challenges. This is all very relevant. Shelley
Received on Monday, 25 January 2010 15:29:13 UTC