- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 23 Jun 2011 18:55:40 +0200
- To: "public-html@w3.org" <public-html@w3.org>
Hi, context: <http://www.w3.org/Bugs/Public/show_bug.cgi?id=12888>, in particular "WebGL has some serious security problems, and this attribute would be nothing more than a bandage, at most. Firefox made the correct decision with WebGL -- they've disabled remote access to image and other files. Even this doesn't begin to address some of the more serious concerns about WebGL. This specification is as at Last Call. Folks from companies that rely on WebKit, both Google and Apple, as well as WebKit folks directly, are groups that participated in the poll to determine whether HTML5 was stable enough for Last Call. From what I remember, all members of these companies/groups have stated that, in their opinion, HTML5 was ready for Last Call. Unless I'm mistaken, a Last Call decision brings with it additional responsibilities for both the group, and the editor. I'm not a member of the HTML WG, but it seems to me if these groups now want to withdraw their support for the stability of the HTML5 specification so that the editor can add and remove new features at will, then reps from the groups should address the HTML WG body and acknowledge their intent. That way folks like me, who are faced with continuing chaos as we do the W3C the courtesy of giving our attention to the specification the organization has asked us to review, at least know to wait until the editor has stopped tossing things into the document. It seems to me that it would have been a simple matter for people to bring the possibility of this change to the attention of the group before the change was made. If this was so important, why did none of you do so? Was it so difficult to submit a bug request, and maybe a follow up email to the group? Or to get the WebGL group to do the _proper_ thing and have it submit requests to the group during the Last Call process? Whatever the reasons for not doing so, you didn't. So here we are. I continue with my request to ask that this change be reverted. Then, if folks are interested, they can properly bring it up to the HTML WG, where it can get the discussion it needs. An item that's related to security should be especially reviewed by members, and yes, outsiders, too. You don't just toss in whatever feels right, and hope it works." -- <http://www.w3.org/Bugs/Public/show_bug.cgi?id=12888#c15> and "just going to passively sit here, either. I disagree with this change, regardless of how it came about. WebGL has some major security issues and this change is nothing more than addressing the tip of the ice berg while ignoring the rest. I think it is more dangerous to add than not. You just don't toss in security changes without due consideration. HTML5 cannot fix WebGL, and we shouldn't have to even try. The WebGL folks should be responding in a controlled manner to the HTML5 Last Call, with proposed changes, as well as analysis of impact on their effort. How this change fits into their new security paradigm should be presented. We don't even know if the WebGL group has asked for this, or only one member. We don't even know if all browser companies are on board with this change. This is not trivial, and shouldn't be approached as a trivial change." -- <http://www.w3.org/Bugs/Public/show_bug.cgi?id=12888#c17> In addition to this, I'm concerned that HTML5 is gaining a normative dependency on CORS which it did not have before (it is marked normative in the LC draft, but as far as I can tell it's not referenced this way). Best regards, Julian
Received on Thursday, 23 June 2011 16:56:17 UTC