Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations from Eric Rescorla on 2015-10-24 (public-privacy@w3.org from October to December 2015)

From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 23 Oct 2015 21:19:22 -0700
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Nick Doty <npdoty@w3.org>, Mathieu Hofman <Mathieu.Hofman@citrix.com>, Harald Alvestrand <harald@alvestrand.no>, "public-media-capture@w3.org" <public-media-capture@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <CABcZeBNKvYhRmp1pA8QODp5BwedzY3U7sQ9MMvT=QpJR43=DuQ@mail.gmail.com>

On Fri, Oct 23, 2015 at 9:17 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 23 October 2015 at 21:12, Eric Rescorla <ekr@rtfm.com> wrote:
> > On the other hand, it's the advice we give to sites which handle credit
> > card numbers, e-mails, and other sensitive information. Generally, if
> > you once have an XSS on your site, it's fairly hard to clean up later.
>
>
> Don't get me wrong, it's great advice, it's just not an effective
> strategy in this case.
>

Less so than "don't allow there to be an XSS or someone will steal
everyone's
personal data"?

-Ekr

Received on Saturday, 24 October 2015 04:20:29 UTC