W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: new meta tags to protect code visibility or immuatbility

From: Craig Francis <craig.francis@gmail.com>
Date: Wed, 17 Feb 2016 09:19:21 +0000
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-Id: <82D00E4A-73F6-42AA-A554-4CB8E2DEE61D@gmail.com>
To: Ahmed Saleh <ahmedzs@live.ca>
On 16 Feb 2016, at 14:45, Ahmed Saleh <ahmedzs@live.ca> wrote:
> Code security is crucial for web development applications. I propose the addition of <meta immutable> and <meta protected> to achieve that. The first one will prevent data from being mutated by browser plugins or agents while the final one will protect code from being exposed to user. These mechanisms can help developers protect their code. 

Hi Ahmed,

I'm just a developer, not part of the W3C, but thought I'd share my views on this...

Marking a page as "immutable" is not going to happen, as plugins (extensions) have complete control over the page. I personally don't like this happening on my websites, because I have to develop some very secure websites, and get annoyed when the users have extensions that inject random adverts onto every page (plus all kinds of other messy/insecure JavaScript). However I have to accept that the user is (kind of) making that decision, and they should be able to do whatever they like... from blocking adverts (or "malvertising"), stopping all animations on the page, changing the font (e.g. using Open Dyslexic), etc, etc.

As to "protected", I'm not sure what you are after with this one. If you want to stop the user from being able to look at the source code, well that isn't going to happen. Trying to enforce those restrictions will only create a false sense of security for you (the developer), as anyone could run a browser that ignores it, modify their browser to ignore it, or simply see/modify the resources being passed over the network (although this might require some HTTPS proxying, but that is still possible).

That said, I do know where you are coming from, and in some ways I would like these features myself, but fortunately the web does not work like that.

Received on Wednesday, 17 February 2016 09:19:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC