W3C home > Mailing lists > Public > public-sysapps@w3.org > June 2012

Re: capability restrictions in the runtime strawman

From: Robin Berjon <robin@berjon.com>
Date: Mon, 25 Jun 2012 10:51:51 -0700
Cc: W3C SysApps <public-sysapps@w3.org>
Message-Id: <3E6BAB1E-E112-4363-9631-360F6223B1D9@berjon.com>
To: "Carr, Wayne" <wayne.carr@intel.com>
On Jun 25, 2012, at 10:23 , Carr, Wayne wrote:
>> For instance, the ability to load remote scripts into a secure context creates
>> interesting security issues. Should it be disabled, or should developers who rely on
>> that for trusted apps just be made to dress up as Barney the Dinosaur for the
>> following three months? If remote scripts are verboten, should the same be done
>> to images?
> 
> It would seem odd that standalone apps that are the html5 equivalent of "native" apps wouldn't even be able to do the equivalent of what a Web page can do.  There can be the same kind of policy as CSP to set where resources can come from, set at install time.  

I don't want to argue either side at this point, but I think it is useful to take a step back and think about how you might want to frame this. If you think of it as removing features then it may indeed seem strange; but if you think of it as removing cruft (to pick a word that keeps this list family-friendly) such as Adam's synchronous XHR examples then it might seem like progress.

But again, that decision isn't to be made now  at this point I just encourage you all to take the time to think about the issue (and of course discuss it here to your hearts' content).

-- 
Robin Berjon - http://berjon.com/ - @robinberjon
Received on Monday, 25 June 2012 17:52:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 25 June 2012 17:52:19 GMT