Re: Security evaluation of an example DAP policy

On Thu, Nov 19, 2009 at 4:49 PM, Marcin Hanclik
<Marcin.Hanclik@access-company.com> wrote:
> Hi Jonas, Maciej,
>
> It seems that the policy that you would accept would be:
>
> <policy-set combine="deny-overrides">
>  <policy description="Default Policy for websites. Simply denying all API that are covered by some device capability:) ">
>   <target>
>     <subject>
>       <subject-match attr="class" match="website" func="equal"/>
>     </subject>
>   </target>
>   <rule effect="deny">
>     <condition>
>       <resource-match attr="device-cap" func="regexp">/.+/</resource-match>
>     </condition>
>   </rule>
>  </policy>
> </policy-set>
>
> Let's see how DAP will evolve then.

Given that I don't know the specifics about this policy format I can't
comment on the above policy specifically. However I will note that the
security experts at Mozilla did agree that opening a non-modal dialog
asking for access to geo-location was considered acceptable, as I
noted in a previous email. I don't know what effect that has on the
above policy.

I don't know what policy other browsers have used in this area.

/ Jonas

Received on Friday, 20 November 2009 01:04:39 UTC