[rfc-i] draft-iab-html-rfc-03.txt

Paul Hoffman paul.hoffman at vpnc.org
Fri Jul 1 12:44:49 PDT 2016


On 1 Jul 2016, at 12:37, Russ Housley wrote:

>>
>>> The security considerations say:
>>>
>>>   Since RFCs are sometimes exchanged outside the normal Web 
>>> sandboxing
>>>   mechanism (such as using the "rsync" program to a mirror site) 
>>> then
>>>   loaded from a local file, more care must be taken with the HTML 
>>> than
>>>   is ordinary on the web.
>>>
>>> Is that care already factored into the specification?  If so, please 
>>> say that.  If not, what additional care is needed?
>>
>> It is not factored in. It is impossible to say what additional care 
>> would be needed because we cannot anticipate what errors in browsers 
>> would cause problems with random HTML.
>
> What care are you expecting people to take to compensate for the lack 
> of “normal web sandboxing”?  I cannot figure out what you are 
> expecting here.

They could "look for strange behavior".

Alternately, we could remove this security consideration because we 
don't have any specific advice, but it seems that the current preference 
is to list all know security considerations even if they can't be dealt 
with in a specific fashion.

--Paul Hoffman


More information about the rfc-interest mailing list