W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

Re: Defenses against phishing via the fullscreen api (was Re: full screen api)

From: Maciej Stachowiak <mjs@apple.com>
Date: Mon, 15 Oct 2012 03:32:58 -0700
Cc: Anne van Kesteren <annevk@annevk.nl>, Florian Bösch <pyalot@gmail.com>, "Carr, Wayne" <wayne.carr@intel.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-id: <31DDFBF4-F929-4388-B3CC-B7C14F02D78D@apple.com>
To: Chris Pearce <cpearce@mozilla.com>

On Oct 14, 2012, at 3:54 PM, Chris Pearce <cpearce@mozilla.com> wrote:

> On 14/10/12 00:49, Maciej Stachowiak wrote:
>> Despite both of these defenses having drawbacks, I think it is wise for implementations to implement at least one of them. I think the spec should explicitly permit implementations to apply either or both of these limitations, and should discuss their pros and cons in the Security Considerations section.
> I don't support making these mandatory, but they should certainly be added to the Security Considerations section; we considered them, and we may indeed re-consider them in future if it proves necessary.
> I support making the spec general enough that implementors can chose their security features based on their requirements; what's appropriate for a desktop browser may not be appropriate for a tablet, for example.

I agree with both of these comments (in case it wasn't clear). I suggest that these mechanisms should be permitted, not mandatory. Right now it is not entirely clear if either is permitted per spec.

Received on Monday, 15 October 2012 10:34:09 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:49 UTC