[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Elliotte Rusty Harold
elharo at metalab.unc.edu
Fri Sep 26 16:55:54 PDT 2008
Robert O'Callahan wrote:
> On Sat, Sep 27, 2008 at 9:19 AM, Elliotte Rusty Harold
> <elharo at metalab.unc.edu <mailto:elharo at metalab.unc.edu>> wrote:
>
> I do think we have an existence proof that security in this realm is
> possible. That's Java. Modulo some outright bugs in VMs (since
> repaired) the default Java applet security model has worked and
> worked well since 1.0 beta 1. (1.0 alpha 1 wasn't quite strict
> enough.) I have seen no security design flaws exposed in Java
> applets in over ten years. That's why I suspect duplicating Java's
> security policy in HTML is a safe way forward. I'm skeptical that
> anything less will suffice.
>
>
> You also see that Java is almost never used in the public Web. Java
> doesn't prove anything.
> \
As I said, it's an existence proof. Sun's inability to provide decent
developer tools (unlike Adobe) doesn't reflect on the capability of the
model.
--
Elliotte Rusty Harold
elharo at metalab.unc.edu
More information about the whatwg
mailing list