[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Robert O'Callahan wrote:
> On Sat, Sep 27, 2008 at 9:19 AM, Elliotte Rusty Harold 
> <elharo at metalab.unc.edu <mailto:elharo at metalab.unc.edu>> wrote:
> 
>     I do think we have an existence proof that security in this realm is
>     possible. That's Java. Modulo some outright bugs in VMs (since
>     repaired) the default Java applet security model has worked and
>     worked well since 1.0 beta 1. (1.0 alpha 1 wasn't quite strict
>     enough.) I have seen no security design flaws exposed in Java
>     applets in over ten years. That's why I suspect duplicating Java's
>     security policy in HTML is a safe way forward. I'm skeptical that
>     anything less will suffice.
> 
>  
> You also see that Java is almost never used in the public Web. Java 
> doesn't prove anything.
> \


As I said, it's an existence proof. Sun's inability to provide decent 
developer tools (unlike Adobe) doesn't reflect on the capability of the 
model.

-- 
Elliotte Rusty Harold
elharo at metalab.unc.edu

Received on Friday, 26 September 2008 16:55:54 UTC