Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations from Eric Rescorla on 2015-10-24 (public-privacy@w3.org from October to December 2015)

From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 23 Oct 2015 21:12:41 -0700
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Nick Doty <npdoty@w3.org>, Mathieu Hofman <Mathieu.Hofman@citrix.com>, Harald Alvestrand <harald@alvestrand.no>, "public-media-capture@w3.org" <public-media-capture@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <CABcZeBPKu0FC0Jdf324L6dg7HNkQLss7P12TXL=F44phH1fo-A@mail.gmail.com>

On the other hand, it's the advice we give to sites which handle credit
card numbers, e-mails, and other sensitive information. Generally, if
you once have an XSS on your site, it's fairly hard to clean up later.

-Ekr

On Fri, Oct 23, 2015 at 9:01 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 23 October 2015 at 17:27, Nick Doty <npdoty@w3.org> wrote:
> > The current advice in the specification is for site developers that use
> the API not to have security vulnerabilities anywhere on their sites. That
> doesn't seem like advice that can or will be followed.
>
> Yes, I agree that this sort of advice is foolish.
>

Received on Saturday, 24 October 2015 04:13:49 UTC