- From: Michael A. Peters <mpeters@domblogger.net>
- Date: Wed, 30 Nov 2016 12:21:34 -0800
- To: whatwg@whatwg.org
https://www.w3.org/TR/html-design-principles/#priority-of-constituencies 3.2. Priority of Constituencies In case of conflict, consider users over authors over implementors over specifiers over theoretical purity. In other words costs or difficulties to the user should be given more weight than costs to authors; which in turn should be given more weight than costs to implementors; which should be given more weight than costs to authors of the spec itself, which should be given more weight than those proposing changes for theoretical reasons alone. Of course, it is preferred to make things better for multiple constituencies at once. 3.3. Secure By Design Ensure that features work with the security model of the web. Preferrably address security considerations directly in the specification. Communicating between documents from different sites is useful, but an unrestricted version could put user data at risk. Cross-document messaging is designed to allow this without violating security constraints. -=-=-=-=-=-=-=- Right now the specification for window.opener() is seriously insecure, allowing for cross-domain script access by default. WhatWG refuses to properly address the issue. The reason they refuse to properly address the issue is because it would break OAuth. Yup - an alleged security tool requires an insecure Internet. That's the most insane logic I have ever heard but that's what the issue is. The proposed fix - rel="noopener" - is insufficient, it is difficult to consistently deploy and there are thousands upon thousands of archived web pages that won't have that attribute added. It is unrealistic to expect the end user to be aware of the issue, the end user will be vulnerable to phishing and other attacks made possible via window.opener() if the browsers do not protect them, but the browsers will not protect them unless the specification calls for it, and the specification will not call for it because the same companies that are heavily invested in OAuth run the WhatWG. There is a serious conflict of interest and it is resulting in a web that does not put the user first, or the security of the user first, but instead is putting first a protocol that has had repeated serious security flaws and is broken by design. If the WhatWG can't put the security of Internet users first, then it needs to be disbanded and replaced by a working group that will put the security of the users first.
Received on Thursday, 1 December 2016 00:49:27 UTC