Re: WebAppSec re-charter status

On 9 February 2015 at 12:49, Deian Stefan <> wrote:
> Would changing the language address some of your concerns? I would be
> happy to use a word other than "untrusted." Or at least tone it down to
> say "untrusted, but not malicious." (We should avoid giving people the
> impression that they can share sensitive data without any concern.)

I'd be happy if this were limited to providing untrusted code with
limited access to information.  That seems perfectly in line with the
sorts of things that CSP can do.

I don't accept the suggestion that forcing untrusted code to use
covert channels for exfiltration is sufficient.  All it takes for
someone to develop an exfiltration library and the suppression of the
overt channels is effectively pointless.

Received on Monday, 9 February 2015 04:24:49 UTC