W3C home > Mailing lists > Public > public-w3process@w3.org > November 2014

Re: Require security review before FPWD

From: Josh Soref <jsoref@blackberry.com>
Date: Fri, 14 Nov 2014 17:06:33 +0000
To: David Singer <singer@apple.com>, "chaals@yandex-team.ru" <chaals@yandex-team.ru>
CC: Henri Sivonen <hsivonen@hsivonen.fi>, Jeff Jaffe <jeff@w3.org>, "Anne van Kesteren" <annevk@annevk.nl>, Philippe Le Hegaret <plh@w3.org>, public-w3process <public-w3process@w3.org>
Message-ID: <D08BA005.5A164%jsoref@blackberry.com>
I agree w/ chaals that it doesn't make sense to use the Process to address
this issue.

It might make sense to ask that new proposals start out only available to
TLS at FPWD and that a security review be done before vendors flip a
switch to expose to non TLS content.

This isn't a "REC should never allow non TLS access", but I wonder what
the harm would be in "FPWD does not allow non TLS access".

FPWD is roughly a proposal with a feature set, I'm not sure why a proposal
with a feature set can't be sandbox tested only with TLS content.

But really, doing this is more a question of getting browser
vendors/developers to buy in to doing something more than W3 asking for

It's the same problem as vendor Prefixing. We can ask for whatever, but
unless vendors choose to do it, it doesn't happen.

Note: I'm not actively requesting/encouraging what I'm describing above,
it's just something that if vendors were willing to do seems like
something that could perhaps work...

Received on Friday, 14 November 2014 17:07:01 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:51:23 UTC