W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

Re: Defenses against phishing via the fullscreen api (was Re: full screen api)

From: Maciej Stachowiak <mjs@apple.com>
Date: Mon, 15 Oct 2012 03:32:58 -0700
Cc: Anne van Kesteren <annevk@annevk.nl>, Florian Bösch <pyalot@gmail.com>, "Carr, Wayne" <wayne.carr@intel.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-id: <31DDFBF4-F929-4388-B3CC-B7C14F02D78D@apple.com>
To: Chris Pearce <cpearce@mozilla.com>

On Oct 14, 2012, at 3:54 PM, Chris Pearce <cpearce@mozilla.com> wrote:

> On 14/10/12 00:49, Maciej Stachowiak wrote:
>> 
>> Despite both of these defenses having drawbacks, I think it is wise for implementations to implement at least one of them. I think the spec should explicitly permit implementations to apply either or both of these limitations, and should discuss their pros and cons in the Security Considerations section.
> 
> 
> I don't support making these mandatory, but they should certainly be added to the Security Considerations section; we considered them, and we may indeed re-consider them in future if it proves necessary.
> 
> I support making the spec general enough that implementors can chose their security features based on their requirements; what's appropriate for a desktop browser may not be appropriate for a tablet, for example.

I agree with both of these comments (in case it wasn't clear). I suggest that these mechanisms should be permitted, not mandatory. Right now it is not entirely clear if either is permitted per spec.

Regards,
Maciej
Received on Monday, 15 October 2012 10:34:09 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:55 GMT