Re: [webappsec] Call for Consensus: UISecurity to Last Call Working Draft

On Mon, Nov 25, 2013 at 10:41 PM, Brad Hill <hillbrad@gmail.com> wrote:
> https://dvcs.w3.org/hg/user-interface-safety/raw-file/6e5a766786c0/user-interface-safety.html

Do we really want to add a new dependency on XPath? And in particular
a new one as I don't think we have a primitive in the platform today
that generates an expression for a given node. We are trying to stay
away from XML and XSLT quite decisively so this seems surprising.


As for the unsafe property. You need to add [Unforgeable] to its IDL.
"The value should not not be set unless triggered by user initiated
actions." does not make sense. The property will always return a
value. Either true or false. The "UI Event handling" section also
cannot really be implemented. It uses many terms such as "compositor"
and "layers" that do not really have a definition in the layout
standards we have today.


I haven't really studied the document in detail, but based on the
above it does not seem ready to me.


-- 
http://annevankesteren.nl/

Received on Tuesday, 26 November 2013 11:28:40 UTC