- From: Garrett Smith <dhtmlkitchen@gmail.com>
- Date: Thu, 26 Aug 2010 00:14:27 -0700
- To: Brad Kemper <brad.kemper@gmail.com>
- Cc: Alan Gresley <alan@css-class.com>, Boris Zbarsky <bzbarsky@mit.edu>, Patrick Garies <pgaries@fastmail.us>, www-style <www-style@w3.org>
On 8/25/10, Brad Kemper <brad.kemper@gmail.com> wrote: > > On Aug 25, 2010, at 10:42 PM, Garrett Smith <dhtmlkitchen@gmail.com> wrote: > >> On 8/25/10, Brad Kemper <brad.kemper@gmail.com> wrote: >>> >>> >>> On Aug 25, 2010, at 9:25 PM, Garrett Smith <dhtmlkitchen@gmail.com> >>> wrote: >>> [...] > If "and?" was instead intended to mean "and given that it is a serious > security issue, then why not address my earlier point about making the moe > secure behavior required instead of optional,", then I'd say one reason is > that not all UAs are Web browsers. For instance, for an HTML-based help > system, authored entirely by a controlled OS team, and unable to browse the > Web, it might be more important to be able to differentiate responses based > on what help files you've already seen, than to deal with a threat that > doesn't really apply to it in it's limited scope. Fine example there. This doesn't work in most browsers and so any developer tasked with that might try it. If he finds that it works in the one browser that he's required to support, he'll use it. A non-interoperable website is born. The feature is designed to be not interoperable and I think that it may lead to compatibility problems. There aren't any web apis for file protocol, so maybe your help-system should focus on that. You might also notice the variations of anomalies with XMLHttpRequest on local file protocol. -- Garrett
Received on Thursday, 26 August 2010 07:14:56 UTC