W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2013

Re: [webappsec] Call for Consensus: UISecurity to Last Call Working Draft

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 26 Nov 2013 11:28:12 +0000
Message-ID: <CADnb78g-f-acJamUk+7AtB=yXnjPBQ_YX5duFq1Ev7UQ1mP3VA@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Nov 25, 2013 at 10:41 PM, Brad Hill <hillbrad@gmail.com> wrote:
> https://dvcs.w3.org/hg/user-interface-safety/raw-file/6e5a766786c0/user-interface-safety.html

Do we really want to add a new dependency on XPath? And in particular
a new one as I don't think we have a primitive in the platform today
that generates an expression for a given node. We are trying to stay
away from XML and XSLT quite decisively so this seems surprising.

As for the unsafe property. You need to add [Unforgeable] to its IDL.
"The value should not not be set unless triggered by user initiated
actions." does not make sense. The property will always return a
value. Either true or false. The "UI Event handling" section also
cannot really be implemented. It uses many terms such as "compositor"
and "layers" that do not really have a definition in the layout
standards we have today.

I haven't really studied the document in detail, but based on the
above it does not seem ready to me.

Received on Tuesday, 26 November 2013 11:28:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC