On Oct 14, 2012, at 3:54 PM, Chris Pearce <[email protected]> wrote:
> On 14/10/12 00:49, Maciej Stachowiak wrote: >> >> Despite both of these defenses having drawbacks, I think it is wise for >> implementations to implement at least one of them. I think the spec should >> explicitly permit implementations to apply either or both of these >> limitations, and should discuss their pros and cons in the Security >> Considerations section. > > > I don't support making these mandatory, but they should certainly be added to > the Security Considerations section; we considered them, and we may indeed > re-consider them in future if it proves necessary. > > I support making the spec general enough that implementors can chose their > security features based on their requirements; what's appropriate for a > desktop browser may not be appropriate for a tablet, for example. I agree with both of these comments (in case it wasn't clear). I suggest that these mechanisms should be permitted, not mandatory. Right now it is not entirely clear if either is permitted per spec. Regards, Maciej
