- From: Shelley Powers <shelley.just@gmail.com>
- Date: Wed, 14 Apr 2010 19:02:42 -0500
- To: "Tab Atkins Jr." <jackalmage@gmail.com>
- Cc: Julian Reschke <julian.reschke@gmx.de>, public-html@w3.org
On Wed, Apr 14, 2010 at 5:01 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote: > On Tue, Apr 13, 2010 at 9:53 PM, Shelley Powers <shelley.just@gmail.com> wrote: >> I'm assuming that there are more use cases, and more target >> communities, for sandboxing other than just weblogging comments and >> webloggers. However, the only purpose given for srcdoc was weblogging >> comments and webloggers, and that was the only one I addressed. I >> don't feel comfortable speaking for an entire community of people, but >> I believe that Matt Mullenweg's response, recorded in the change >> proposal, was a good indicator that the community isn't interested, >> and is very unlikely to use the attribute. > > I didn't bring this up before, but Wordpress has a *long history* of > XSS vulnerabilities caused by bad escaping/sanitizing/etc. If they've > finally got a handle on it, great. That's awesome. But, as I keep > saying, they're an organization with time and effort to spend on this. > And even with that sort of time and effort, they still got it > dangerously wrong many, many times before they, hopefully, finally did > things correctly. And they still could possibly have holes, if new > capabilities are added in the future that their sanitizers don't > account for. Most of Wordpress's problem in the past has been problems with SQL Injection. I know, I found and fixed more than a few when I had forked the application at one point. When you say long history, do you have specifics? Links? I had the creator of Wordpress, Matt Mullenweg, respond to the necessity of having to provide a srcdoc attribute, in which to stuff comments so that we may be protected. He did not indicate interest. Perhaps you can find other weblog software developers and see if they're interested. Or, since Ian stated that this attribute was for a specific use case, ask him to provide documentation backing up the use case: a request from a weblog developer, a commitment from tool developers to use it. Something tangible. I've been working with weblogging software for a decade, and though I may not be considered expert enough for this organization, I am fairly comfortable stating that people who work with weblogging templates--either authors, or tool or template builders, are highly unlikely to use this attribute. > > If regularly-updated Wordpress blogs don't require the sandbox > security model to protect themselves, that's fine. But that doesn't > say anything about: > > 1. Infrequently updated Wordpress blogs > 2. Blogs using some other blogging platform that don't share > Wordpress's sanitation library > 3. Blogs written by hand by an author > 4. Any other system that wishes to display user-generated content > (retrieved locally, and thus possible to put into the page directly, > rather than requiring a network request) under the constraints of the > sandbox security model. > Infrequently updates wordpress blogs? You lost me on this. I use Drupal -- I find it unlikely that Dries would be interested in srcdoc, either. Blogs written by hand won't have a comment system. The "by hand" part negates that type of functionality. Frankly, if weblogging tool developers aren't keen on srcdoc, I don't know if you can say that anyone else would be, either. > >> Now, others may think all of sandboxing is bad, but they should submit >> a bug, accordingly. > > Half or more of your Change Proposal rationale is arguing that all of > sandboxing is bad (most particularly, the part arguing that authors > are too stupid to realize that using <iframe srcdoc sandbox> to > display comments on their blog won't protect them against SQL > injection when handling form submission of new comments). I would > appreciate it if you would remove those sections and file bugs > accordingly. > Unless you've become the co-chair for this group, please refrain from telling me to edit my proposals. > > ~TJ > Shelley
Received on Thursday, 15 April 2010 00:03:15 UTC