On Wednesday, December 13, 2017 at 5:08:05 PM UTC-6, Matt Palmer wrote: > > There is a "curatorship", if you will, engaged by the site author. If > > there are sub-resources loaded in, whether they are EV or not, it is the > > root page author's place to "take responsibility" for the contents of the > > DV or EV validated sub-resources that they cause to be loaded. > > Oh, if only that were true -- then every site that embedded a third-party ad > network that served up malware could be done under the CFAA, and the world > would be a much, much better place. > > But it isn't, and your "curatorship" model of the web, whilst a lovely idea, > is completely unsupported by reality.
I concur that today far fewer than should have acted in accordance with such a model. But that could change any time. As the web platform's general capabilities expand, more and further abuses driven by site authors are going to reshape that paradigm. It seems inevitable. We've got frameworks for burning browsers' CPU and energy to mine alt-coints in the background while you're served up cat memes. It has been a presumption, up to this point, that a person visiting a website has agreed within non-destructive limits to have their browser/computer perform whatever tasks the website says to. The kinds of abuses evolving won't permit such an assumption moving forward. A modern website is software like any other. While it lives in a sandbox, it's still software driving a computer. People have and do go to prison, even for terms approximating their life spans, for the creation and distribution of malware. There's no real technological or logical reason that a sufficiently complex website is any different. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
