- From: Chaals McCathie Nevile <chaals@yandex-team.ru>
- Date: Sat, 02 Apr 2016 02:18:10 +0200
- To: "Rich Schwerdtfeger" <richschwer@gmail.com>
- Cc: "James Teh" <jamie@nvaccess.org>, "John Foliot" <john.foliot@deque.com>, "Joseph Scheuhammer" <clown@alum.mit.edu>, "Cynthia Shelly" <cyns@microsoft.com>, "Matt King" <a11ythinker@gmail.com>, LĂ©onie Watson <tink@tink.uk>, "ARIA Working Group" <public-aria-admin@w3.org>, "David Bolter" <dbolter@mozilla.com>, "Dominic Mazzoni" <dmazzoni@google.com>, "James Craig" <jcraig@apple.com>
On Sat, 02 Apr 2016 01:19:22 +0200, Rich Schwerdtfeger <richschwer@gmail.com> wrote: > The security hole already exists whether we apply the role or not. Yes > it is a big concern. Sure. A concern I have is that if we accept that browsers won't do anything here, then by effectively just hoping authors do the right thing, we're actively expanding the security hole. I'm wondering if there is a design that doesn't do that. Also, did anyone ask the security IG (who do security review like APA does accessibility review) to take a look at this? cheers > Rich Schwerdtfeger > > > > >> On Apr 1, 2016, at 6:12 PM, Chaals McCathie Nevile >> <chaals@yandex-team.ru> wrote: >> >> On Fri, 01 Apr 2016 23:55:22 +0200, Rich Schwerdtfeger >> <richschwer@gmail.com> wrote: >> >>> Hi James, >>> >>> Good to hear from you again. >>> >>> 1. Backward compatibility >>> >>> I understand. Is there a way for you to patch other versions? >> >> This is IMHO a really big concern. Given a broad deployment of stuff >> that can't obviously be updated, any security solution should not leave >> people unsecured just because they didn't upgrade. So a solution should >> be designed so it doesn't get applied in an insecure context, like an >> old AT missing the patching we hope will one day make this issue >> irrelevant. >> >> cheers >> >> Chaals >> >> -- >> Charles McCathie Nevile - web standards - CTO Office, Yandex >> chaals@yandex-team.ru - - - Find more at http://yandex.com > -- Charles McCathie Nevile - web standards - CTO Office, Yandex chaals@yandex-team.ru - - - Find more at http://yandex.com
Received on Saturday, 2 April 2016 00:18:52 UTC