- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 20 Sep 2007 15:55:51 +0200
- To: "Williams, Stuart (HP Labs, Bristol)" <skw@hp.com>, "Arthur Barstow" <art.barstow@nokia.com>
- Cc: public-appformats@w3.org
On Wed, 29 Aug 2007 17:12:44 +0200, Williams, Stuart (HP Labs, Bristol) <skw@hp.com> wrote: > 1) The TAG would like the introduction to the document to contain a > fuller account of the rationale behind the existing UA sandbox policy and > the attacks that it is intended to guard against. For example, we > believe that > one of the key use-cases that the sandbox policy is intended to address > is > leakage of confidential information from behind a firewall arising from > either accidental or malicious scripted behaviour executing within the > UA. That is correct. I mentioned this now in the introduction: http://dev.w3.org/2006/waf/access-control/Overview.html#introduction > We would then like the document to indicate whether there are > situations where implementation of the Read Access Control Policy > mechanism would make a UA and the network to which it is attached any > more vulnerable to > attack. > > We think that the increased risk is probably small, but we believe > that the document should present more analysis than it does at present. I tried making this more clear in the security section: http://dev.w3.org/2006/waf/access-control/Overview.html#security My apologies for the late reply. I've been busy with some other tasks. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Thursday, 20 September 2007 13:56:18 UTC