- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 07 Mar 2006 01:20:54 -0800
- To: Anne van Kesteren <annevk@opera.com>
- Cc: "Web APIs WG (public)" <public-webapi@w3.org>
>> I'm not sure that it's a good idea to define the exact security >> policy here. Shouldn't we allow implementations to return null rather >> then throwing? > > Well, at the moment it doesn't say MUST throw, but MAY throw... I'm not > sure yet how to handle the security cases. It's obviously important > enough to mention it in the specification, but limiting the UA in what > it can do may not be such a good idea either. This does not solely > apply to this though. We should probably discuss in what level of > detail we want to define what UAs have to do. Personally I'd be happy > with not defining what they have to do but just pointing out the > potential security problems UAs probably have to act upon in order to > make browsing secure. Yeah, I think that might be the way to go. We should probably mention that an implementation is allowed to deviate from specified behaviour for security reasons and still be conformant to the spec. / Jonas
Received on Tuesday, 7 March 2006 09:20:58 UTC