[whatwg] Suggestion for a Specification: XUL Basic

Ian Hickson ian at hixie.ch
Thu Jun 10 08:32:14 PDT 2004

On Thu, 10 Jun 2004, Jose Dinuncio wrote:
>>> *) There is a need for WAOB: In intranets, security of the web app
>>> downloaded is not a concern. In client-server applications, it would be
>>> nice to download an always-up-to-date thin client every time you need
>>> it.
>> How can you tell if the intranet content is trusted or not?
> I don't see wich is the diference on security concerns between using an
> intranet inside the browser vs. outside the browser.

There are several problems. First, how do you know it's an intranet page?

Second, why are you assuming everyone in the intranet is trusted? There
are many scenarios -- for example, school networks -- where the intranet
is even more hostile than the internet.

>>> *) The cost of add this feature in the SPEC is not so big: It is Web
>>> forms outside html. Substract CSS and add the window and layout tags,
>>> and that's all.
>> I don't see why you have to substract CSS, but sure, actually doing a
>> chromeless Web page is easy.
> What I mean is, since web forms are not inside a html doc (in my wildest
> dreams at least) there's not <table> or <p> or CSS to help you in the
> componets layout. So the layout is determined by <hlayout>, <vlayout>
> and friends.

Presentational markup is very bad for accessibility. Whatever language you
use, you would want it to be semantic. And luckily we have this semantic
language right here and already supported in several browsers... HTML. :-)

>> The biggest problem is simply: How can you tell that the content you
>> have is trusted enough that it should be run without any of the browser
>> chrome?
> This is a problem that goes beyond any SPEC. The browser chrome won't
> help you to determine what the app is doing behind scenes, anyway.

No but it will tell you whether the application is from www.paypal.com or
hostile.intranet.example.com, even if the actual content looks identical
in both.

> Security concerns are orthogonal to the web app being executed inside or
> outside the browser.

Security, yes, but we're talking about spoofing, and trust, and that is
not at all unrelated. It is in fact the major issue.

> PS: Can somebody configure the list to make the "reply to" send the
> messages to whatwg and not to the original sender?

The list software should be honouring all headers; if you want Reply_to to
reply to the list, set it on your outgoing messages. (Personally I prefer
replies to go to both me and the list.)

You can also configure the list not to send you duplicate messages. See
the headers of any of the messages from the list for details of where to
configure that, or follow the links you were given in the original
subscription e-mail.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list