Re: System Level APIs draft proposal from Jonas Sicking on 2012-05-02 (public-device-apis@w3.org from May 2012)

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 2 May 2012 16:44:41 -0700
To: Doug Turner <dougt@mozilla.com>
Cc: Niklas Widell <niklas.widell@ericsson.com>, "Carr, Wayne" <wayne.carr@intel.com>, "Tran, Dzung D" <dzung.d.tran@intel.com>, Robin Berjon <robin@berjon.com>, "public-device-apis@w3.org public-device-apis@w3.org" <public-device-apis@w3.org>
Message-ID: <CA+c2ei8DiG0qRL9rwLM+VR+xZTP432NFefLu99uFJ3muCEjZRg@mail.gmail.com>

On Wed, May 2, 2012 at 9:31 AM, Doug Turner <dougt@mozilla.com> wrote:

> On May 2, 2012, at 2:33 AM, Niklas Widell wrote:
>
> > I would prefer to have browser-safe and non-browser-safe APIs in one WG.
> > Potentially two specs (or two different sections in spec or something)
> per
> > API depending on security solution, but I think the work will only end up
> > in confusion with two Wgs doing very similar things.
>
> I agree.  I think it should be left up to the UA to figure out how to
> express what is browser-safe and what is non-browser-safe.  We should have
> non-normative language that expresses that certain api need security and
> privacy considerations.  However, I think the WG should steer away from
> mandating what APIs are really 'browser-safe'.
>

I'm not a big fan of the term "browser-safe" since it highly depends on the
definition of what a browser is. So in that sense I agree.

However I think that for all APIs that we come up with, we need to define a
security model along with the API. I suspect that in many cases it large
parts will still be left up to the decision of the implementation, for
example what various UI look like. However I think in all cases will we
need to figure out a credible security model.

When we are defining that security model that will likely determine what
browser implementers will feel comfortable exposing to the pages that they
render.

/ Jonas

Received on Wednesday, 2 May 2012 23:45:46 UTC