W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Removal of the note about extensions

From: David Bruant <bruant.d@gmail.com>
Date: Sat, 22 Feb 2014 23:34:09 +0100
Message-ID: <530925E1.2070809@gmail.com>
To: "Mike \"Pomax\" Kamermans" <pomax@nihongoresources.com>, public-webappsec@w3.org, mmitar@gmail.com
Le 22/02/2014 21:30, Mike "Pomax" Kamermans a écrit :
> based on 
> https://github.com/w3c/webappsec/commit/cbfaa8edfadebf21a9c7428242c12e45934d8c55 
> I can't help but also jump in on this topic; as a user of the web, a 
> developr, and someone who cares about freedom the change implemented 
> in said commit has me sitting back in amazement (and an initial 
> furious anger over the audacity to suggest this removal, since abated 
> a little because writing an email in anger usually leads to rather 
> poor writing) over the fact that we're collectively okay with the 
> notion that a website should be allowed to force a browser to lock a 
> user out of the web as an "I choose how to consume this" medium.
This is not my reading of the spec after the change.
My reading is that this paragraph not being part of the spec just 
implies that UAs are allowed to choose to do whatever they want when it 
comes to bookmarklets and addons.
UAs being able to choose is the only thing "we're collectively okay 
with" here (at least I know I am and it looks like the current consensus).

If users use a UA that doesn't have the behavior they expect when it 
comes to bookmarklets and addons, they're free to change.

On the specifics, Mike West spoke for Blink to say "removing this 
sentence /does not/ mean that I'm going to change Blink to prevent 
extensions from running in a page otherwise protected by CSP" [1] (so in 
Blink, a webpage won't be able to force a browser to lock down the user).
I've read the equivalent from Mozilla folks. That's already three main 
browsers (Chrome, Firefox, Opera) who won't allow a webpage to lock down 
the browser.

I'm not sure I understand what this drama is all about. 
Misinterpretation, I imagine.

David

[1] 
https://github.com/w3c/webappsec/commit/cbfaa8edfadebf21a9c7428242c12e45934d8c55#commitcomment-5434788
Received on Saturday, 22 February 2014 22:34:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC