[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
mjs at apple.com
Mon Sep 29 21:34:38 PDT 2008
On Sep 28, 2008, at 2:15 PM, Robert O'Callahan wrote:
> On Mon, Sep 29, 2008 at 12:17 AM, Michal Zalewski <lcamtuf at dione.cc>
> On Sun, 28 Sep 2008, Robert O'Callahan wrote:
> There is no way in the world that Microsoft would implement your
> option 3 in a security update to IE6.
> Sure, I'm not implying this. I simply have doubts about any other
> major security changes making it into MSIE8 or Firefox 3.
> As one of the people who makes these decisions, I can tell you that
> I'd be a lot more comfortable cramming option 1 into Firefox 3 or
> 3.1 than option 3. Apart from the other reasons I've already raised,
> option 1, being much simpler and with few degrees of freedom, would
> take a lot less time to analyze and converge on a spec.
As one of the people who helps decide for Safari, I would agree that
option 1 is a lot more likely to make it into a security update than
More information about the whatwg