On Jun 22, 2010, at 7:49 PM, Bill Appleton wrote: > i am pointing out that there is a giant, giant, giant difference between > plugins that impose themselves on the user and those that are invoked because > the user wants them.
Plugins don’t impose themselves, nor are they invoked by a user; they’re always invoked by content on a web page. The user might go to that web page specifically to use the plugin, or it might be a side effect, but the mechanism is the same regardless. > all of the security stuff you are talking about is appropriate for the > former. all of this security stuff just makes users of the latter pissed off. No, the ‘security stuff’ is appropriate regardless. If a bunch of people install your plugin, and if someone were to find a security hole in it that lets them do something nasty to your computer, then websites would inevitably pop up that invoked your plugin and exploited the bug. Note that web plugins are more susceptible to attack than regular apps because, once installed, they can be invoked and run _automatically_ by web content, with absolutely no warning and no permission needed by the user. The user might not even know that it’s running. This makes web plugins probably the most potentially-dangerous type of software you can install. > this is absolutely key. we have 10 K companies that desperately need a simple > way to install and use our player. this is mission critical for them. Simplicity and convenience don’t usually go along with security, unfortunately. For example, ActiveX was a very simple and convenient way to extend the web experience (in MSIE on Windows at least), and it became a big part of why Windows had so many security problems. —Jens_______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
