[rfc-i] draft-iab-html-rfc-03.txt

housley at vigilsec.com (Russ Housley) Fri, 01 July 2016 19:37 UTC

From: housley at vigilsec.com (Russ Housley)
Date: Fri, 1 Jul 2016 15:37:19 -0400
Subject: [rfc-i] draft-iab-html-rfc-03.txt
In-Reply-To: <AC464B29-AF81-4630-BF9C-11523E8730AE@vpnc.org>
References: <20160630212722.29518.45020.idtracker@ietfa.amsl.com> <AB0EAE56-95EF-451D-ADB9-9621352A1A45@vigilsec.com> <AC464B29-AF81-4630-BF9C-11523E8730AE@vpnc.org>
Message-ID: <721E7511-9385-4AAA-AFC6-88A56FAE3530@vigilsec.com>

> 
>> The security considerations say:
>> 
>>   Since RFCs are sometimes exchanged outside the normal Web sandboxing
>>   mechanism (such as using the "rsync" program to a mirror site) then
>>   loaded from a local file, more care must be taken with the HTML than
>>   is ordinary on the web.
>> 
>> Is that care already factored into the specification?  If so, please say that.  If not, what additional care is needed?
> 
> It is not factored in. It is impossible to say what additional care would be needed because we cannot anticipate what errors in browsers would cause problems with random HTML.

What care are you expecting people to take to compensate for the lack of ?normal web sandboxing??  I cannot figure out what you are expecting here.

Russ

[rfc-i] draft-iab-html-rfc-03.txt Russ Housley
[rfc-i] draft-iab-html-rfc-03.txt Paul Hoffman
[rfc-i] draft-iab-html-rfc-03.txt Russ Housley
[rfc-i] draft-iab-html-rfc-03.txt Paul Hoffman
[rfc-i] draft-iab-html-rfc-03.txt Brian E Carpenter
[rfc-i] draft-iab-html-rfc-03.txt Dave Crocker
[rfc-i] draft-iab-html-rfc-03.txt Joe Hildebrand jhildebr