[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Maciej Stachowiak mjs at apple.com
Mon Sep 29 21:34:38 PDT 2008

On Sep 28, 2008, at 2:15 PM, Robert O'Callahan wrote:

> On Mon, Sep 29, 2008 at 12:17 AM, Michal Zalewski <lcamtuf at dione.cc>  
> wrote:
> On Sun, 28 Sep 2008, Robert O'Callahan wrote:
> There is no way in the world that Microsoft would implement your  
> option 3 in a security update to IE6.
> Sure, I'm not implying this. I simply have doubts about any other  
> major security changes making it into MSIE8 or Firefox 3.
> As one of the people who makes these decisions, I can tell you that  
> I'd be a lot more comfortable cramming option 1 into Firefox 3 or  
> 3.1 than option 3. Apart from the other reasons I've already raised,  
> option 1, being much simpler and with few degrees of freedom, would  
> take a lot less time to analyze and converge on a spec.

As one of the people who helps decide for Safari, I would agree that  
option 1 is a lot more likely to make it into a security update than  
option 3.


More information about the whatwg mailing list