[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Elliotte Rusty Harold elharo at metalab.unc.edu
Fri Sep 26 16:55:54 PDT 2008

Robert O'Callahan wrote:
> On Sat, Sep 27, 2008 at 9:19 AM, Elliotte Rusty Harold 
> <elharo at metalab.unc.edu <mailto:elharo at metalab.unc.edu>> wrote:
>     I do think we have an existence proof that security in this realm is
>     possible. That's Java. Modulo some outright bugs in VMs (since
>     repaired) the default Java applet security model has worked and
>     worked well since 1.0 beta 1. (1.0 alpha 1 wasn't quite strict
>     enough.) I have seen no security design flaws exposed in Java
>     applets in over ten years. That's why I suspect duplicating Java's
>     security policy in HTML is a safe way forward. I'm skeptical that
>     anything less will suffice.
> You also see that Java is almost never used in the public Web. Java 
> doesn't prove anything.
> \

As I said, it's an existence proof. Sun's inability to provide decent 
developer tools (unlike Adobe) doesn't reflect on the capability of the 

Elliotte Rusty Harold
elharo at metalab.unc.edu

More information about the whatwg mailing list