W3C home > Mailing lists > Public > public-html@w3.org > June 2011

REVERT REQUEST for "crossorigin" attribute

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 23 Jun 2011 18:55:40 +0200
Message-ID: <4E03700C.4060103@gmx.de>
To: "public-html@w3.org" <public-html@w3.org>
Hi,

context: <http://www.w3.org/Bugs/Public/show_bug.cgi?id=12888>, in 
particular

"WebGL has some serious security problems, and this attribute would be 
nothing
more than a bandage, at most. Firefox made the correct decision with 
WebGL --
they've disabled remote access to image and other files. Even this doesn't
begin to address some of the more serious concerns about WebGL.

This specification is as at Last Call. Folks from companies that rely on
WebKit, both Google and Apple, as well as WebKit folks directly, are groups
that participated in the poll to determine whether HTML5 was stable 
enough for
Last Call. From what I remember, all members of these companies/groups have
stated that, in their opinion, HTML5 was ready for Last Call.

Unless I'm mistaken, a Last Call decision brings with it additional
responsibilities for both the group, and the editor.

I'm not a member of the HTML WG, but it seems to me if these groups now 
want to
withdraw their support for the stability of the HTML5 specification so 
that the
editor can add and remove new features at will, then reps from the groups
should address the HTML WG body and acknowledge their intent. That way folks
like me, who are faced with continuing chaos as we do the W3C the 
courtesy of
giving our attention to the specification the organization has asked us to
review, at least know to wait until the editor has stopped tossing 
things into
the document.

It seems to me that it would have been a simple matter for people to 
bring the
possibility of this change to the attention of the group before the 
change was
made. If this was so important, why did none of you do so? Was it so 
difficult
to submit a bug request, and maybe a follow up email to the group? Or to get
the WebGL group to do the _proper_ thing and have it submit requests to the
group during the Last Call process?

Whatever the reasons for not doing so, you didn't. So here we are.

I continue with my request to ask that this change be reverted. Then, if 
folks
are interested, they can properly bring it up to the HTML WG, where it 
can get
the discussion it needs. An item that's related to security should be
especially reviewed by members, and yes, outsiders, too. You don't just 
toss in
whatever feels right, and hope it works." -- 
<http://www.w3.org/Bugs/Public/show_bug.cgi?id=12888#c15>

and

"just going to passively sit here, either.

I disagree with this change, regardless of how it came about. WebGL has some
major security issues and this change is nothing more than addressing 
the tip
of the ice berg while ignoring the rest. I think it is more dangerous to add
than not.

You just don't toss in security changes without due consideration. HTML5 
cannot
fix WebGL, and we shouldn't have to even try.

The WebGL folks should be responding in a controlled manner to the HTML5 
Last
Call, with proposed changes, as well as analysis of impact on their 
effort. How
this change fits into their new security paradigm should be presented.

We don't even know if the WebGL group has asked for this, or only one 
member.
We don't even know if all browser companies are on board with this change.

This is not trivial, and shouldn't be approached as a trivial change." 
-- <http://www.w3.org/Bugs/Public/show_bug.cgi?id=12888#c17>

In addition to this, I'm concerned that HTML5 is gaining a normative 
dependency on CORS which it did not have before (it is marked normative 
in the LC draft, but as far as I can tell it's not referenced this way).


Best regards, Julian
Received on Thursday, 23 June 2011 16:56:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:25 UTC