[whatwg] whatwg Digest, Vol 82, Issue 10
Boris Zbarsky
bzbarsky at MIT.EDU
Tue Jan 4 22:34:58 PST 2011
On 1/5/11 12:29 AM, Glenn Maynard wrote:
> Stricter requirements like SSL makes more sense for the latter case.
> I'd put geolocation squarely in the first, lesser group.
I wouldn't. Just because a user trusts some particular entity to know
exactly where they are, doesn't mean they trust their stalker with that
information. I picked geolocation specifically, because that involves
an irrevocable surrender of personal information, not just annoyance
like disabling the context menu.
>> Or various kinds of cross-site script injection (which you may or may not
>> consider as a compromised server).
>
> I suppose this is analogous to buffer overflows in native code.
As opposed to a virus infection (which would be similar to a compromised
server), say? Yes, that seems like a good analogy. One difference is
that buffer overflows are primarily a problem insofar as you don't
control your input. With a website, you never "control your input":
anyone can point the user to any url on your site. Even urls you didn't
think of existing.
-Boris
More information about the whatwg
mailing list