Re: Fingerprinting Guidance for Web Specification Authors

2015-12-01 Thread Jeffrey Walton
On Tue, Dec 1, 2015 at 11:52 AM, Arthur Barstow wrote: > Editors, All - please see "Fingerprinting Guidance for Web Specification > Authors" > and reflect it in your spec, accordingly. Tracking can be a

Re: The futile war between Native and Web

2015-02-19 Thread Jeffrey Walton
/19/2015 01:43 PM, Jeffrey Walton wrote: On Thu, Feb 19, 2015 at 1:44 PM, Bjoern Hoehrmann derhoe...@gmx.net wrote: * Jeffrey Walton wrote: Here's yet another failure that Public Key Pinning should have stopped, but the browser's rendition of HPKP could not stop because of the broken security

Re: The futile war between Native and Web

2015-02-19 Thread Jeffrey Walton
On Mon, Feb 16, 2015 at 3:34 AM, Anne van Kesteren ann...@annevk.nl wrote: On Sun, Feb 15, 2015 at 10:59 PM, Jeffrey Walton noloa...@gmail.com wrote: For the first point, Pinning with Overrides (tools.ietf.org/html/draft-ietf-websec-key-pinning) is a perfect example of the wrong security model

Re: The futile war between Native and Web

2015-02-19 Thread Jeffrey Walton
On Thu, Feb 19, 2015 at 12:15 PM, Anne van Kesteren ann...@annevk.nl wrote: On Thu, Feb 19, 2015 at 6:10 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Feb 16, 2015 at 3:34 AM, Anne van Kesteren ann...@annevk.nl wrote: What would you suggest instead? Sorry to dig up an old thread

Re: The futile war between Native and Web

2015-02-19 Thread Jeffrey Walton
On Thu, Feb 19, 2015 at 4:31 PM, Anne van Kesteren ann...@annevk.nl wrote: On Thu, Feb 19, 2015 at 10:05 PM, Jeffrey Walton noloa...@gmail.com wrote: For what its worth, I'm just the messenger. There are entire organizations with Standard Operating Procedures (SOPs) built around the stuff I'm

Re: The futile war between Native and Web

2015-02-16 Thread Jeffrey Walton
On Mon, Feb 16, 2015 at 11:19 AM, Anders Rundgren anders.rundgren@gmail.com wrote: ... You would anyway end-up with proprietary AppStores with granted Apps and then I don't really see the point insisting on using web-technology anymore. General code-signing like used in Windows

Re: The futile war between Native and Web

2015-02-16 Thread Jeffrey Walton
On Mon, Feb 16, 2015 at 3:17 AM, Florian Bösch pya...@gmail.com wrote: On Mon, Feb 16, 2015 at 9:08 AM, Jeffrey Walton noloa...@gmail.com wrote: I'd hardly consider an account holder's data as high value. Medium at best and likely low value. But that's just me. Of course if the data

Re: The futile war between Native and Web

2015-02-16 Thread Jeffrey Walton
On Mon, Feb 16, 2015 at 2:15 AM, Florian Bösch pya...@gmail.com wrote: On Mon, Feb 16, 2015 at 8:09 AM, Anders Rundgren anders.rundgren@gmail.com wrote: Unfortunately this is wrong and is why I started this thread. Mobile banking applications in Europe are usually featured as Apps. This

Re: The futile war between Native and Web

2015-02-15 Thread Jeffrey Walton
In practice this has proved to be wrong although the reasons vary from lack of standards for the platform feature to support, I find there are two problems with browser based apps. First is the security model, and second is anemic security opportunities. For the first point, Pinning with

Re: =[xhr]

2014-11-27 Thread Jeffrey Walton
I think there are several different scenarios under consideration. 1. The author says Content-Length 100, writes 50 bytes, then closes the stream. 2. The author says Content-Length 100, writes 50 bytes, and never closes the stream. 3. The author says Content-Length 100, writes 150 bytes,

Re: What I am missing

2014-11-18 Thread Jeffrey Walton
On Wed, Nov 19, 2014 at 12:35 AM, Michaela Merz michaela.m...@hermetos.com wrote: Well .. it would be a all scripts signed or no script signed kind of a deal. You can download malicious code everywhere - not only as scripts. Signed code doesn't protect against malicious or bad code. It only

Re: PSA: publishing new WD of Clipboard API and events on Sept 18

2014-09-16 Thread Jeffrey Walton
. [0] http://www.w3.org/TR/html-design-principles/#solve-real-problems [1] http://www.w3.org/TR/html-design-principles/#priority-of-constituencies [2] http://www.w3.org/TR/html-design-principles/#secure-by-design On Sep 15, 2014 3:18 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Sep 15

Re: PSA: publishing new WD of Clipboard API and events on Sept 18

2014-09-15 Thread Jeffrey Walton
On Mon, Sep 15, 2014 at 4:27 AM, Arthur Barstow art.bars...@gmail.com wrote: This is a heads-up Hallvord intends to publish a WD of Clipboard API and events and he is targeting a publication date of September 18. The ED http://dev.w3.org/2006/webapi/clipops/clipops.html If anyone has any

Re: PSA: publishing new WD of Clipboard API and events on Sept 18

2014-09-15 Thread Jeffrey Walton
On Mon, Sep 15, 2014 at 5:26 PM, Hallvord R. M. Steen hst...@mozilla.com wrote: http://dev.w3.org/2006/webapi/clipops/clipops.html Please forgive my ignorance. But I don't see a requirement that data egressed from the local machine to be protected with SSL/TLS. I can certainly add a note

Re: Proposal for a Permissions API

2014-09-04 Thread Jeffrey Walton
On Thu, Sep 4, 2014 at 4:24 PM, Florian Bösch pya...@gmail.com wrote: On Thu, Sep 4, 2014 at 10:18 PM, Marcos Caceres mar...@marcosc.com wrote: This sets up an unrealistic straw-man. Are there any real sites that would need to show all of the above all at the same time? Let's say you're

Re: Blocking message passing for Workers

2014-08-11 Thread Jeffrey Walton
On Mon, Aug 11, 2014 at 7:52 PM, David Bruant bruan...@gmail.com wrote: Le 12/08/2014 00:40, Glenn Maynard a écrit : On Sat, Aug 9, 2014 at 9:12 AM, David Bruant bruan...@gmail.com wrote: This topic is on people minds [1]. My understanding of where we're at is that ECMAScript 7 will bring

Re: [clipboard] Semi-Trusted Events Alternative

2014-07-26 Thread Jeffrey Walton
On Sat, Jul 26, 2014 at 9:19 AM, Perry Smith pedz...@gmail.com wrote: Sorry if this is a lame question but I never understood the dangers of Copy and Paste that the web is trying to avoid. Can someone explain that to me? Its a point of data egress. You don't want sensitive information from

Re: [clipboard] Semi-Trusted Events Alternative

2014-07-26 Thread Jeffrey Walton
On Sat, Jul 26, 2014 at 9:34 AM, Perry Smith pedz...@gmail.com wrote: On Jul 26, 2014, at 8:26 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, Jul 26, 2014 at 9:19 AM, Perry Smith pedz...@gmail.com wrote: Sorry if this is a lame question but I never understood the dangers of Copy

WebApp installation via the browser

2014-05-30 Thread Jeffrey Walton
I have a question about Use Cases for Installable WebApps located at https://w3c-webmob.github.io/installable-webapps/. Under section Add to Homescreen, the document states: ... giving developers the choice to tightly integrate their web applications into the OS directly from the Web

Re: WebApp installation via the browser

2014-05-30 Thread Jeffrey Walton
On Fri, May 30, 2014 at 9:04 PM, Brendan Eich bren...@mozilla.org wrote: Jeffrey Walton wrote: Are there any platforms providing the feature? Has the feature gained any traction among the platform vendors? Firefox OS wants this. Thanks Brendan. As a second related question