[whatwg] whatwg Digest, Vol 82, Issue 10

Boris Zbarsky bzbarsky at MIT.EDU
Tue Jan 4 22:34:58 PST 2011


On 1/5/11 12:29 AM, Glenn Maynard wrote:
> Stricter requirements like SSL makes more sense for the latter case.
> I'd put geolocation squarely in the first, lesser group.

I wouldn't.  Just because a user trusts some particular entity to know 
exactly where they are, doesn't mean they trust their stalker with that 
information.  I picked geolocation specifically, because that involves 
an irrevocable surrender of personal information, not just annoyance 
like disabling the context menu.

>> Or various kinds of cross-site script injection (which you may or may not
>> consider as a compromised server).
>
> I suppose this is analogous to buffer overflows in native code.

As opposed to a virus infection (which would be similar to a compromised 
server), say?  Yes, that seems like a good analogy.  One difference is 
that buffer overflows are primarily a problem insofar as you don't 
control your input.  With a website, you never "control your input": 
anyone can point the user to any url on your site.  Even urls you didn't 
think of existing.

-Boris




More information about the whatwg mailing list