- From: Jeffrey Yasskin <jyasskin@google.com>
- Date: Wed, 4 May 2016 09:54:04 -0700
- To: Adrian Hope-Bailie <adrian@hopebailie.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, May 4, 2016 at 8:59 AM, Adrian Hope-Bailie <adrian@hopebailie.com> wrote: >> This violates expectations for users: > > What users and on what basis? > > If the "users" are developers then are you suggesting they don't understand > that there is a difference between localhost and 127.0.0.1? > > We always need to balance good security approaches with pandering to the > stupidity of users and I think that line can be drawn in a different place > when the users are explicitly Web developers. I don't think we need to call people "stupid" for not realizing that localhost and 127.0.0.1 can be different. We also don't need to satisfy every expectation when there are good reasons not to. Jeffrey
Received on Wednesday, 4 May 2016 16:54:52 UTC