Re: [w3ctag/design-reviews] Realms API ECMAScript Proposal (#542) from Daniel Ehrenberg on 2020-11-17 (public-webapps-github@w3.org from November 2020)

From: Daniel Ehrenberg <notifications@github.com>
Date: Tue, 17 Nov 2020 06:35:39 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/542/728968702@github.com>

> You can try to be clear about it, but it's not working. E.g. there is a separate proposal, titled "Secure ECMAScript", which uses realms as the basis of its "security". Or there are people trying to use realms for security boundaries, and getting burned, as seen in e.g. https://www.figma.com/blog/an-update-on-plugin-security/ . If a feature encourages writing insecure code, you can't just say "but we told you not to write insecure code" and use that as justification for adding it to the platform anyway.

If we refrained from adding features to JavaScript because people made "security" claims about them, we wouldn't have Promises or private fields. People also make security claims about older features like lexical scope/closures. I think this whole security perception issue is really a matter of developer education. The champion group has expressed openness to renaming the proposal, if anyone has ideas for a way to more clearly explain the concept.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/542#issuecomment-728968702

Received on Tuesday, 17 November 2020 14:35:52 UTC