- From: Micah Dubinko <MDubinko@cardiff.com>
- Date: Thu, 13 Mar 2003 17:40:04 -0800
- To: "'www-forms@w3.org'" <www-forms@w3.org>
David, Andrew, The main difference against today's HTML/DOM is that nobody has widely implemented support for the file: scheme in HTML forms. Without XML, that feature doesn't make much sense. The original point 1 is simply wrong -- nowhere does XForms define a situation where user data is taken from the file system into XML instance data without specific user action. Further, an entire appendix is devoted to privacy issues and letting users know what they're sending. Point 2 is possible on poor implementations, which is why the XForms spec cautions implementers about security issues associated with the 'file' scheme, among others. It's worth noting that modern browser practice include cross-domain security limitations and various forms of sandboxing, applying to the entire browser, not just forms. A "Security Guidelines for User Agents" specification would be interesting to read, but I wouldn't want to be the one stuck producing it. :-) .micah -----Original Message----- From: David Cleary [mailto:davec@progress.com] Sent: Thursday, March 13, 2003 9:03 AM To: www-forms@w3.org Subject: RE: XForms - Secure or Insecure? > -----Original Message----- > From: w3c-forms-request@w3.org [mailto:w3c-forms-request@w3.org]On > Behalf Of AndrewWatt2001@aol.com > There are two potential sources of security concern: > 1. That a malicious XForms-containing document can upload files > from a user's > computer without their knowledge > 2. A malicious XForms-containing document could download a virus or other > nasty to the user's computer. How are these concerns addressed by HTML/DOM today, and why would XForms be less secure? David Cleary
Received on Thursday, 13 March 2003 20:40:06 UTC