- From: John Kemp <john@jkemp.net>
- Date: Wed, 9 Feb 2011 08:04:33 -0500
- To: Robin Berjon <robin@berjon.com>
- Cc: Anne van Kesteren <annevk@opera.com>, Karl Dubost <karld@opera.com>, "www-tag@w3.org WG" <www-tag@w3.org>
On Feb 9, 2011, at 7:41 AM, Robin Berjon wrote: > On Feb 3, 2011, at 15:48 , Anne van Kesteren wrote: >> I am pretty sure you are being sarcastic, but there is no real central definition of the "the web security model". It was mostly developed adhoc as the platform evolved. http://tools.ietf.org/html/draft-ietf-websec-origin which came from the HTML5 work defines an important part of it. > > The more time passes and the more questions I get about this, the more I'm convinced that not having this written up is a problem. Perhaps not a pressing problem, but one nevertheless. Most if not all of the pieces are actually available, but there's no document that says "for the definitive story, go read this and that, and here are the missing bits". It would be way exaggerated to state that this is security in obscurity, but it would certainly benefit from clarity. > > This is an architectural issue that requires documenting. At the TAG F2F meeting yesterday, I talked about "Security on the Web" (http://www.w3.org/2001/tag/2011/02/security-web.html), and my understanding is roughly that same as what Anne said above: >>> there is no real central definition of the "the web security model". It was mostly developed adhoc as the platform evolved. Security was not designed into the architecture, but various security features were developed in conjunction with the massive growth of Web technologies in general (where security came second to several other factors). The security issues of the Web are more fundamental than what is currently captured by the various specifications and I agree that it would be nice to document these issues. Cheers, - John > Who you gonna call? > > -- > Robin Berjon - http://berjon.com/ > > > >
Received on Wednesday, 9 February 2011 13:05:05 UTC