1, 2009 9:31 AM
To: Jonas Sicking
Cc: Robin Berjon; Adam Barth; public-device-a...@w3.org; public-webapps WG
Subject: Re: File writing ponderings (was: Re: Security evaluation of an
example DAP policy)
On Sat, Nov 21, 2009 at 12:26 AM, Jonas Sicking wrote:
> Hmm.. This is a very intere
On Sat, Nov 21, 2009 at 12:26 AM, Jonas Sicking wrote:
> Hmm.. This is a very interesting idea. Definitely worth exploring more.
>
> What I had in mind was basically something like this:
>
> 1. An API for creating File objects by concatinating strings, Blobs,
> ByteArrays (or whatever they'll be c
Starting a new thread since the other one was more of a
meta-discussion, this one has more technical meat on it.
On Fri, Nov 20, 2009 at 9:23 AM, Robin Berjon wrote:
> On Nov 20, 2009, at 17:40 , Adam Barth wrote:
> On Fri, Nov 20, 2009 at 8:34 AM, Robin Berjon wrote:
>>> DAP will handle securit
On Fri, Nov 20, 2009 at 8:34 AM, Robin Berjon wrote:
> On Nov 20, 2009, at 00:22 , Adam Barth wrote:
>> It's emails like this that make me skeptical of the security work
>> being done in the device APIs working group.
>
> *sigh* I feel like a broken record. It feels like I've spent my time since
b...@orange-ftgroup.com [richard.tibb...@orange-ftgroup.com]
Sent: Friday, November 20, 2009 7:30 PM
To: Marcin Hanclik; frederick.hir...@nokia.com; jor...@chromium.org
Cc: m...@apple.com; jo...@sicking.cc; w...@adambarth.com; ro...@berjon.com;
public-device-a...@w3.org; public-webapps@w3.org
Subject:
g
> [mailto:public-device-apis-requ...@w3.org] On Behalf Of Marcin Hanclik
> Sent: 20 November 2009 15:13
> To: Frederick Hirsch; ext Jeremy Orlow
> Cc: Maciej Stachowiak; Jonas Sicking; Adam Barth; Robin
> Berjon; public-device-a...@w3.org; public-webapps WG
> Subject: RE: Secu
On Nov 20, 2009, at 17:40 , Adam Barth wrote:
On Fri, Nov 20, 2009 at 8:34 AM, Robin Berjon wrote:
>> DAP will handle security at the API definition level. Full stop.
>
> Can you elaborate on what this means concretely? For example, how is
> security handled at the API definition level for the f
On Fri, Nov 20, 2009 at 8:34 AM, Robin Berjon wrote:
> DAP will handle security at the API definition level. Full stop.
Can you elaborate on what this means concretely? For example, how is
security handled at the API definition level for the file writing API?
Adam
On Nov 20, 2009, at 01:26 , Maciej Stachowiak wrote:
>> For what it's worth, I think any API that opened a dialog asking the
>> user "Do you want to give website X access to directory Y in your file
>> system" would not be an API we'd be willing to implement in firefox.
>> I.e. our security policy
On Nov 20, 2009, at 00:22 , Adam Barth wrote:
> It's emails like this that make me skeptical of the security work
> being done in the device APIs working group.
*sigh* I feel like a broken record. It feels like I've spent my time since TPAC
involved in an endless repeat of the following discussio
ch; ext Jeremy Orlow; Maciej Stachowiak; Jonas Sicking; Adam
Barth; Robin Berjon; public-device-a...@w3.org; public-webapps WG
Subject: Re: Security evaluation of an example DAP policy
Marcin
do you have any more comment on any of the following from the draft
policy requirements document?
http
k; Jonas
Sicking; Adam Barth; Robin Berjon; public-device-a...@w3.org; public-
webapps WG
Subject: Re: Security evaluation of an example DAP policy
Jeremy
Thanks. I want to make sure I understand the concerns.
I guess the question is whether one can bake all the security in that
is needed for
: Frederick Hirsch; Marcin Hanclik; Maciej Stachowiak; Jonas Sicking; Adam
Barth; Robin Berjon; public-device-a...@w3.org; public-webapps WG
Subject: Re: Security evaluation of an example DAP policy
Jeremy
Thanks. I want to make sure I understand the concerns.
I guess the question is whether one ca
;
>>
>>
>>
>>
>>
>>
>>
>>
>> /.+/
>>
>>
>>
>>
>>
>> Let's see how DAP will evolve then.
>>
>> Thanks,
>> Marcin
>> __
..@apple.com]
Sent: Friday, November 20, 2009 1:26 AM
To: Jonas Sicking
Cc: Marcin Hanclik; Adam Barth; Robin Berjon; public-device-a...@w3.org
; public-webapps WG
Subject: Re: Security evaluation of an example DAP policy
On Nov 19, 2009, at 4:23 PM, Jonas Sicking wrote:
On Thu, Nov 19, 2009 at 4:07 PM,
t;
>> Thanks,
>> Marcin
>>
>> From: Maciej Stachowiak [...@apple.com]
>> Sent: Friday, November 20, 2009 1:26 AM
>> To: Jonas Sicking
>> Cc: Marcin Hanclik; Adam Barth; Robin Berjon; public-device-a...@w3.org;
>> p
hanks,
Marcin
From: Maciej Stachowiak [...@apple.com]
Sent: Friday, November 20, 2009 1:26 AM
To: Jonas Sicking
Cc: Marcin Hanclik; Adam Barth; Robin Berjon; public-device-a...@w3.org
; public-webapps WG
Subject: Re: Security evaluation of an example DAP policy
On Nov 19, 2009, at 4
]
Sent: Friday, November 20, 2009 2:04 AM
To: Marcin Hanclik
Cc: Maciej Stachowiak; Adam Barth; Robin Berjon; public-device-a...@w3.org;
public-webapps WG
Subject: Re: Security evaluation of an example DAP policy
On Thu, Nov 19, 2009 at 4:49 PM, Marcin Hanclik
wrote:
> Hi Jonas, Maciej,
>
>
On Thu, Nov 19, 2009 at 4:49 PM, Marcin Hanclik
wrote:
> Hi Jonas, Maciej,
>
> It seems that the policy that you would accept would be:
>
>
>
>
>
>
>
>
>
>
> /.+/
>
>
>
>
>
> Let's see how DAP will evolve then.
Given that I don't know the specifi
riday, November 20, 2009 1:26 AM
To: Jonas Sicking
Cc: Marcin Hanclik; Adam Barth; Robin Berjon; public-device-a...@w3.org;
public-webapps WG
Subject: Re: Security evaluation of an example DAP policy
On Nov 19, 2009, at 4:23 PM, Jonas Sicking wrote:
> On Thu, Nov 19, 2009 at 4:07 PM, Marcin Hanclik
On Nov 19, 2009, at 4:23 PM, Jonas Sicking wrote:
On Thu, Nov 19, 2009 at 4:07 PM, Marcin Hanclik
wrote:
Hi Adam,
I think that
/(C|c):\\(.+)\\(.+)/
should be
/(C|c):\\([^\\]+)\\.
+/
up to any further bug in the RE.
Sorry, my problem.
Anyway, the general comment is that the use case is
On Nov 19, 2009, at 4:00 PM, Marcin Hanclik wrote:
Hi Adam,
Thanks for your review!
This is what the BONDI specs need :)
I am sorry that you are skeptical and believe that with joint forces
BONDI and DAP will end up with a good solution.
If I understand this policy correctly, this would l
On Thu, Nov 19, 2009 at 4:07 PM, Marcin Hanclik
wrote:
> Hi Adam,
>
> I think that
> func="regexp">/(C|c):\\(.+)\\(.+)/
> should be
> func="regexp">/(C|c):\\([^\\]+)\\.+/
> up to any further bug in the RE.
> Sorry, my problem.
>
> Anyway, the general comment is that the use case is under control
k
Cc: Maciej Stachowiak; Robin Berjon; public-device-a...@w3.org; public-webapps
WG
Subject: Security evaluation of an example DAP policy
If I understand this policy correctly, this would let a web site
overwrite boot.ini if the user clicks through a prompt-oneshot. This
does not seem like a good ide
iak; Robin Berjon; public-device-a...@w3.org; public-webapps
WG
Subject: Security evaluation of an example DAP policy
If I understand this policy correctly, this would let a web site
overwrite boot.ini if the user clicks through a prompt-oneshot. This
does not seem like a good idea.
You can tell you
If I understand this policy correctly, this would let a web site
overwrite boot.ini if the user clicks through a prompt-oneshot. This
does not seem like a good idea.
You can tell your policy is in trouble because you're blacklisting
C:\WINNT. What if my system is installed on my D: drive?
It's
26 matches
Mail list logo
