W3C home > Mailing lists > Public > public-ietf-w3c@w3.org > September 2012

RE: web+: enabling websites to expose services with custom URI schemes to registerProtocolHandler.

From: Larry Masinter <masinter@adobe.com>
Date: Thu, 6 Sep 2012 21:47:48 -0700
To: Philippe Le Hegaret <plh@w3.org>, "julian.reschke@gmx.de" <julian.reschke@gmx.de>, Thomas Roessler <tlr@w3.org>
CC: Barry Leiba <barryleiba@computer.org>, Mark Nottingham <mnot@mnot.net>, "public-ietf-w3c@w3.org" <public-ietf-w3c@w3.org>
Message-ID: <C68CB012D9182D408CED7B884F441D4D1E2DEF2DEC@nambxv01a.corp.adobe.com>
It looks to me that the proposal has serious security and reliability problems, which we've identified, discussed, and to which there hasn't yet been a response.

If there are browser vendors who claim they want to implement this, I'd like to hear some assurance from their security team that they've reviewed the proposal, and why they don't think there's a problem.  I don't see any point in procedurals move to get some other group to review it. 

> Back on August 23, I saw two proposals:
> 1- get the W3C webappsec to review this.
> 2- modularizing the HTML5 spec.

I don't see either of these as touching on the fundamental.

1 is:  "If you don't believe me, ask webappsec, I'm sure they'll tell you the same thing, as soon as they get around to it"
2 is: "if you push the idea into another document, maybe we can kill it later"

If we're moving back to rational standards making, could we get some resolution on the issue itself?

Larry

Received on Friday, 7 September 2012 04:48:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 7 September 2012 04:48:23 GMT