Re: Same Origin Policy - Re: Agenda: <keygen> being destroyed when we need it from Alex Russell on 2015-09-14 (www-tag@w3.org from September 2015)

From: Alex Russell <slightlyoff@google.com>
Date: Mon, 14 Sep 2015 07:11:32 -0700
To: Kingsley Idehen <kidehen@openlinksw.com>
Cc: Henry Story <henry.story@co-operating.systems>, Wendy Seltzer <wseltzer@w3.org>, "www-tag@w3.org List" <www-tag@w3.org>, Carvalho Melvin <melvincarvalho@gmail.com>, Tim Berners-Lee <timbl@w3.org>
Message-ID: <CANr5HFUWRZY+CwNwQqof0F6vyBK5BqDg2zscjQvv-+nt+qMrXw@mail.gmail.com>

On Mon, Sep 14, 2015 at 6:59 AM, Kingsley Idehen <kidehen@openlinksw.com>
wrote:

> On 9/12/15 1:54 PM, Alex Russell wrote:
> > But that's all indulgent thinking. JavaScript is a core part of the
> > web stack today. We live in a world where it exists. We cannot pretend
> > it doesn't.
>
> Anyone should still be able to use the Web modulo Javascript.
>

We agree! I'm a massive supporter of the Progressive Enhancement approach
to app/site construction.

> Javascript is simply a popular programming language, supported by
> browsers. It isn't core Web Technology, as far as I understand what
> constitutes core Web Technology:
>
> 1. URIs
> 2. HTTP
> 3. HTML -- this doesn't make Javascript core Web technology (IMHO).
>

While this formulation might be useful in some circumstances, it doesn't
really clarify anything here. The security model of the web is about what
the full set of commonly supported tech (together) can accomplish and is
about setting limits on that behavior. For the same reason that CSS needs
to be factored into security/privacy considerations, so does JavaScript.

Regards

Received on Monday, 14 September 2015 14:12:30 UTC