- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 31 Oct 2014 09:34:41 +0100
- To: Brad Hill <hillbrad@gmail.com>
- Cc: Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>
On Fri, Oct 31, 2014 at 9:29 AM, Brad Hill <hillbrad@gmail.com> wrote: > I don't want users to be socially engineered into attacking > themselves, either, but we respect the priority of constituencies. In > the end, it is the user's agent, not the resource's. UAs can make > choices to warn users or make it difficult to do harm to themselves, > and some might not provide any affordances around CSP, but I don't > think it's appropriate to add normative text forbidding the user to > modify CSP. I guess that's fair. But then I think I stand by my request to make it clear in MIX that not all blocked fetches are equal and that you probably don't want to use the same UI to cater to e.g. CSP and MIX. Or MIX could simply not say anything about user control either... -- https://annevankesteren.nl/
Received on Friday, 31 October 2014 08:35:08 UTC