W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2006

[whatwg] Content Restrictions

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 31 Jan 2006 20:29:07 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0601312025090.2856@dhalsim.dreamhost.com>
On Mon, 30 Jan 2006, Gervase Markham wrote:
> Ian Hickson wrote:
> > My first impression is that it is far too complex and over-engineered.
> OK... What do you think the requirements are for a solution to this 
> problem? I tried to make my types of restrictions match up with common 
> use cases, but I may well have picked the wrong ones.

I don't really know.

> > The problem with security is that people don't understand the issues. 
> > We don't want to give authors too fine-grained control, because most 
> > authors will get it wrong, but be lulled into a false sense of 
> > security because they are "using Content Restrictions".
> OK; but if your control is too coarse-grained, then people who want to 
> permit just a little bit of scripting are forced to not have any 
> restrictions at all.

Sure. But they're in the 10%, the 90% is secure. Whereas with a complex 
system, maybe 5% is secure, 90% thinks it is but isn't, and the remaining 
5% still don't have enough fine-grained control.

Good luck...
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 31 January 2006 12:29:07 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:44 UTC