- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Tue, 05 Oct 2010 07:00:23 +0200
- To: Adam Barth <ietf@adambarth.com>
- Cc: IRI WG mailing list <public-iri@w3.org>
* Adam Barth wrote: >[[ > The in-context evaluation operation necessitates extreme caution in > deciding where resource identifiers using this scheme are recognized > and permitted and what facilities are made available to script code, > like access to private information and operations with side effects. >]] > >I probably would have said something a bit stronger than that. >JavaScript URLs are a security disaster. I wouldn't recommend their >use by anyone with a choice in the matter. :) Like I noted when I announced the revised draft, there has been some criticism in that direction, but nobody submitted text and I could not come up with text that I didn't feel was misleading (most problems with this scheme are shared by other schemes in one form or another, so singling this scheme out may be a bad idea). If there was consensus that the scheme should be deprecated, I'd gladly do that, but that's not where we are. It would be great if there was, say, a peer-reviewed paper that dis- cusses the poor security record with this scheme in some detail, which I would gladly reference in the specification, but I have not yet come across anything like that yet. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Tuesday, 5 October 2010 06:01:01 UTC