On Fri, Jan 31, 2014 at 3:28 PM, Joe Bowser <[email protected]> wrote: > On Fri, Jan 31, 2014 at 1:13 PM, Martin Georgiev <[email protected]> wrote: >> On Fri, Jan 31, 2014 at 2:58 PM, Andrew Grieve <[email protected]> wrote: >>> Ha! Well that's pretty clear. :) I don't think having JS generate it is a >>> good idea then. >> >> It is not. You as an app developer do not control who puts where their JS. >> > > Remember, we're not App Developers, we're framework developers. Our > users are app developers, usually novice ones who know nothing about > security, and do stupid things like include random JS from anywhere on > the web. These are the same people who do really stupid things like > publish apps with practically no whitelist. > > This exercise is about adding a blade guard to our circular saw. Our > users can still cut their hands off by being stupid, but it should be > obvious that's what they're doing.
Agree. Yet, it is unlikely that app developers will start caring about security. All they care about is getting their app published (and possibly making some $ off it). So, unless the framework developer makes sure that all usecases are handled properly, there will always be some users being hosed.
