[whatwg] The <iframe> element and sandboxing ideas from Frode Børli on 2008-07-26 (public-whatwg-archive@w3.org from July 2008)

From: Frode Børli <frode@seria.no>
Date: Sat, 26 Jul 2008 13:55:09 +0200
Message-ID: <31fb000f0807260455r65a730d4wf3cace24d2c12a31@mail.gmail.com>
Yes, lets all go back to Word Perfect for DOS and hinder innovation.

Besides, this is not the proper arena for this discussion:)

2008/7/26 Kristof Zelechovski <giecrilj at stegny.2a.pl>:
> A bank sporting a site with a form encouraging the customer to enter
> arbitrary HTML code would be perceived innovative indeed, albeit in the
> Monty-Pythonic sense.  I can envision the logo: "The First Alternative
> Reality Bank".  Hopefully, all its accounts would be run in lindendollars...
> And no wonder it could afford only one employee.
> Chris
>
> -----Original Message-----
> From: whatwg-bounces at lists.whatwg.org
> [mailto:whatwg-bounces at lists.whatwg.org] On Behalf Of Frode Borli
> Sent: Saturday, July 26, 2008 9:40 AM
> To: Edward Z. Yang
> Cc: whatwg at whatwg.org; ide at berkeley.edu
> Subject: Re: [whatwg] The <iframe> element and sandboxing ideas
>
>> Frode Borli wrote:
>>> A bank want a HTML-messaging system where the customer can write
>>> HTML-based messages to customer support trough the online banking
>>> system. Customer support personell have access to perform transactions
>>> worth millions of dollars trough the intranet web interface (where
>>> they also receive HTML-based messages from customers).
>>
>> A few problems with this theoretical situation:
>> 1. Why does the bank need an HTML messaging system?
>
> Because the bank wants to be percieved as innovative by its customers?
> It is not my place to question WHY somebody need a feature. Why is
> there a manufactorer logo on most cars? It isnt strictly required...
>
>> 2. Why is this system on the same domain as the intranet web interface?
>
> Content is submitted from the banks public website - but customer
> support handles the mails in the internal webmail system which may be
> on the same domain..
>
>> 3. Why do customer support personell have access to the transaction
>> interface?
>
> Better question: is it good that since html-sanitizing cannot be done
> securely we need more employees?
>
> If I contact my account manager he most likely have access to perform
> tasks on my account, as well as on other customers bank accounts.
>
>>> Security depends on on a perfect sanitizer. Would you sell your
>>> sanitizer to this bank without any disclaimers, and say that your
>>> sanitizer will be valid for eternity and for all browsers that the
>>> bank decides to use internally in the future?
>> Well, it's an open-source sanitizer. But that aside, say, I was selling
>> them a support contract, I would not say "valid for eternity". However,
>
> Then we need client side sandboxing.
>
>
>
>



-- 
Best regards / Med vennlig hilsen
Frode B?rli
Seria.no

Mobile:
+47 406 16 637
Company:
+47 216 90 000
Fax:
+47 216 91 000


Think about the environment. Do not print this e-mail unless you really need to.

Tenk milj?. Ikke skriv ut denne e-posten dersom det ikke er n?dvendig.
Received on Saturday, 26 July 2008 04:55:09 UTC