W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: WebAppSec re-charter status

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 9 Feb 2015 15:24:22 +1100
Message-ID: <CABkgnnUL8UxT4SH2anh-uDVwe38OnUVrP5=AUXrj6a2pYt5BvQ@mail.gmail.com>
To: Deian Stefan <deian@cs.stanford.edu>
Cc: Brad Hill <hillbrad@gmail.com>, Jeffrey Yasskin <jyasskin@google.com>, Mike West <mkwst@google.com>, Wendy Seltzer <wseltzer@w3.org>, David Ross <drx@google.com>, Dan Veditz <dveditz@mozilla.com>, Mounir Lamouri <mlamouri@google.com>, David Baron <dbaron@dbaron.org>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 9 February 2015 at 12:49, Deian Stefan <deian@cs.stanford.edu> wrote:
> Would changing the language address some of your concerns? I would be
> happy to use a word other than "untrusted." Or at least tone it down to
> say "untrusted, but not malicious." (We should avoid giving people the
> impression that they can share sensitive data without any concern.)

I'd be happy if this were limited to providing untrusted code with
limited access to information.  That seems perfectly in line with the
sorts of things that CSP can do.

I don't accept the suggestion that forcing untrusted code to use
covert channels for exfiltration is sufficient.  All it takes for
someone to develop an exfiltration library and the suppression of the
overt channels is effectively pointless.
Received on Monday, 9 February 2015 04:24:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC