- From: Kristof Zelechovski <giecrilj@stegny.2a.pl>
- Date: Sat, 26 Jul 2008 10:17:41 +0200
A bank sporting a site with a form encouraging the customer to enter arbitrary HTML code would be perceived innovative indeed, albeit in the Monty-Pythonic sense. I can envision the logo: "The First Alternative Reality Bank". Hopefully, all its accounts would be run in lindendollars... And no wonder it could afford only one employee. Chris -----Original Message----- From: whatwg-bounces@lists.whatwg.org [mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of Frode Borli Sent: Saturday, July 26, 2008 9:40 AM To: Edward Z. Yang Cc: whatwg at whatwg.org; ide at berkeley.edu Subject: Re: [whatwg] The <iframe> element and sandboxing ideas > Frode Borli wrote: >> A bank want a HTML-messaging system where the customer can write >> HTML-based messages to customer support trough the online banking >> system. Customer support personell have access to perform transactions >> worth millions of dollars trough the intranet web interface (where >> they also receive HTML-based messages from customers). > > A few problems with this theoretical situation: > 1. Why does the bank need an HTML messaging system? Because the bank wants to be percieved as innovative by its customers? It is not my place to question WHY somebody need a feature. Why is there a manufactorer logo on most cars? It isnt strictly required... > 2. Why is this system on the same domain as the intranet web interface? Content is submitted from the banks public website - but customer support handles the mails in the internal webmail system which may be on the same domain.. > 3. Why do customer support personell have access to the transaction > interface? Better question: is it good that since html-sanitizing cannot be done securely we need more employees? If I contact my account manager he most likely have access to perform tasks on my account, as well as on other customers bank accounts. >> Security depends on on a perfect sanitizer. Would you sell your >> sanitizer to this bank without any disclaimers, and say that your >> sanitizer will be valid for eternity and for all browsers that the >> bank decides to use internally in the future? > Well, it's an open-source sanitizer. But that aside, say, I was selling > them a support contract, I would not say "valid for eternity". However, Then we need client side sandboxing.
Received on Saturday, 26 July 2008 01:17:41 UTC