- From: Travis Leithead <notifications@github.com>
- Date: Tue, 08 Jan 2019 12:09:48 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 8 January 2019 20:10:10 UTC
Have re-read the spec and associated resources, and I'm feeling more comfortable with the design ;-). In the explainer you note that the UA should take steps to ensure that the content that originates from the web app is distinctly separate from the trusted UI elements as rendered by the UA. Another concern that led to browsers all-but-removing the rendering of beforeunload's status message, is that fields like "title" are potential attack surface. May want to make of note of that in the Security and Privacy section of the spec as well to be sure implementors are aware. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/279#issuecomment-452434805
Received on Tuesday, 8 January 2019 20:10:10 UTC