[whatwg] Content Restrictions

Tue Jan 31 12:29:07 PST 2006

On Mon, 30 Jan 2006, Gervase Markham wrote:
>
> Ian Hickson wrote:
> > My first impression is that it is far too complex and over-engineered.
> 
> OK... What do you think the requirements are for a solution to this 
> problem? I tried to make my types of restrictions match up with common 
> use cases, but I may well have picked the wrong ones.

I don't really know.

> > The problem with security is that people don't understand the issues. 
> > We don't want to give authors too fine-grained control, because most 
> > authors will get it wrong, but be lulled into a false sense of 
> > security because they are "using Content Restrictions".
> 
> OK; but if your control is too coarse-grained, then people who want to 
> permit just a little bit of scripting are forced to not have any 
> restrictions at all.

Sure. But they're in the 10%, the 90% is secure. Whereas with a complex 
system, maybe 5% is secure, 90% thinks it is but isn't, and the remaining 
5% still don't have enough fine-grained control.

Good luck...
-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'