- From: Elad Alon <notifications@github.com>
- Date: Tue, 20 Jun 2023 01:08:56 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 20 June 2023 08:09:02 UTC
> Why does this need to be provided as a web-facing API? All three provided use-cases could likely be done with closed (e.g. extension specific) APIs and you could deploy that as an enterprise policy, which would alleviate the risks of abuese by having it exposed on the web. An extension API requires the installation of an extension, which implicitly grants permission to the extension to access a myriad other APIs that the admin might not even know about, let alone wish to allow. In some regards the extension path is actually riskier than a Web-exposed path, where the default stance is more security-conscious, and the holes enterprise policies poke through the wall are more deliberate. -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/856#issuecomment-1598314543 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/856/1598314543@github.com>
Received on Tuesday, 20 June 2023 08:09:02 UTC