W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [MIX] 4.5 User Controls

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 31 Oct 2014 09:34:41 +0100
Message-ID: <CADnb78jTGzyAUL-yixrWiFYbKL0VFniLDMLmmk=gJ2m3wksNhA@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>
On Fri, Oct 31, 2014 at 9:29 AM, Brad Hill <hillbrad@gmail.com> wrote:
> I don't want users to be socially engineered into attacking
> themselves, either, but we respect the priority of constituencies.  In
> the end, it is the user's agent, not the resource's.  UAs can make
> choices to warn users or make it difficult to do harm to themselves,
> and some might not provide any affordances around CSP, but I don't
> think it's appropriate to add normative text forbidding the user to
> modify CSP.

I guess that's fair. But then I think I stand by my request to make it
clear in MIX that not all blocked fetches are equal and that you
probably don't want to use the same UI to cater to e.g. CSP and MIX.
Or MIX could simply not say anything about user control either...

Received on Friday, 31 October 2014 08:35:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC