- From: Terri Oda <terri@zone12.com>
- Date: Thu, 24 Mar 2011 00:09:09 -0400
- To: Brandon Sterne <bsterne@mozilla.com>
- CC: Collin Jackson <collin.jackson@sv.cmu.edu>, "public-web-security@w3.org" <public-web-security@w3.org>
So, I went around asking some random security folk, web folk, and a
couple of sysadmins. Maybe 10-15 people in total. Pretty much all of
them felt that (b) was the better option for various reasons: usability
confusion on the part of users/developers, increased support costs, more
intuitive behaviour ("if there's no policy then none should be
enforced"), etc.
I work in a security lab with quite a lot of human factors/usability
work going on so we've spent a lot more time than average watching users
fail or succeed at security-related tasks, but even those people not
affiliated with my lab said it sounded like a usability and
comprehension disaster to fail closed in this case.
(Two people also had a little rant about how frustrating they found the
behaviour with respect to self-signed SSL certificates in Firefox, which
I thought was interesting that this brought that choice to mind.)
Brandon Sterne wrote:
> On 03/08/2011 09:43 AM, Brandon Sterne wrote:
>
>> 1. As the document notes, there is still an unresolved issue over what
>> to do with an empty policy: a) most restrictive, or b) most permissive.
>> Mozilla felt that a) was preferable because it allows us to "fail
>> closed", something we tried to do consistently throughout the model. We
>> also wanted to "fail early and fail hard" so that it is obvious to the
>> developer that something has gone horribly wrong. When every image,
>> script and stylesheet fails to load in a resource it's fairly obvious :-)
>>
>> Can you make a case for why b) is preferable?
>>
>
> Going back, I see you made a fairly compelling case for b) here:
> http://lists.w3.org/Archives/Public/public-web-security/2011Feb/0098.html
>
> I'm torn myself. What do others think?
>
> -Brandon
>
>
>
Received on Thursday, 24 March 2011 04:09:40 UTC