[whatwg] WhatWG is broken from Michael A. Peters on 2016-11-30 (public-whatwg-archive@w3.org from December 2016)

From: Michael A. Peters <mpeters@domblogger.net>
Date: Wed, 30 Nov 2016 12:21:34 -0800
To: whatwg@whatwg.org
Message-ID: <51c67668-6f2b-0908-0411-cd92bd8b9894@domblogger.net>

https://www.w3.org/TR/html-design-principles/#priority-of-constituencies

3.2. Priority of Constituencies

In case of conflict, consider users over authors over implementors over 
specifiers over theoretical purity. In other words costs or difficulties 
to the user should be given more weight than costs to authors; which in 
turn should be given more weight than costs to implementors; which 
should be given more weight than costs to authors of the spec itself, 
which should be given more weight than those proposing changes for 
theoretical reasons alone. Of course, it is preferred to make things 
better for multiple constituencies at once.
3.3. Secure By Design

Ensure that features work with the security model of the web. 
Preferrably address security considerations directly in the specification.

Communicating between documents from different sites is useful, but an 
unrestricted version could put user data at risk. Cross-document 
messaging is designed to allow this without violating security constraints.

-=-=-=-=-=-=-=-

Right now the specification for window.opener() is seriously insecure, 
allowing for cross-domain script access by default.

WhatWG refuses to properly address the issue.

The reason they refuse to properly address the issue is because it would 
break OAuth.

Yup - an alleged security tool requires an insecure Internet. That's the 
most insane logic I have ever heard but that's what the issue is.

The proposed fix - rel="noopener" - is insufficient, it is difficult to 
consistently deploy and there are thousands upon thousands of archived 
web pages that won't have that attribute added.

It is unrealistic to expect the end user to be aware of the issue, the 
end user will be vulnerable to phishing and other attacks made possible 
via window.opener() if the browsers do not protect them, but the 
browsers will not protect them unless the specification calls for it, 
and the specification will not call for it because the same companies 
that are heavily invested in OAuth run the WhatWG.

There is a serious conflict of interest and it is resulting in a web 
that does not put the user first, or the security of the user first, but 
instead is putting first a protocol that has had repeated serious 
security flaws and is broken by design.

If the WhatWG can't put the security of Internet users first, then it 
needs to be disbanded and replaced by a working group that will put the 
security of the users first.

Received on Thursday, 1 December 2016 00:49:27 UTC