W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: [POWER] New vs Legacy functionality (Re: "Requirements for Powerful Features" strawman.)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 9 Dec 2014 12:20:31 -0800
Message-ID: <CABkgnnUP_-tn805R+jbpWTa1sk8+qr2u_-Nhf7RRJz5Thbd+Fw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Mark Watson <watsonm@netflix.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "public-geolocation@w3.org" <public-geolocation@w3.org>, "Nottingham, Mark" <mnotting@akamai.com>
On 9 December 2014 at 12:12, Mike West <mkwst@google.com> wrote:
> I don't believe the intent of a feature has much of anything to do with the
> attack surface it exposes. Deprecating an insecure feature is a good thing!
> It is substantially less good if deprecating it doesn't improve the security
> situation.


If you want to encourage people to move from feature A to feature A',
then coupling that move with a secure origins limitation could create
additional disincentives to move.

On the other hand, you might see moving from A to A' as the real cost
and consider the move to a secure origin as being trivial.  Then the
marginal cost of the linkage between A' and secure origins is then
small.

It might simply make sense to say that any choice about secure origins
should be orthogonal to the continuing evolution of a feature.
Received on Tuesday, 9 December 2014 20:21:00 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC