cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bowser <bows...@gmail.com>
Subject Re: [Android] SecureToken/NoFrak feature addition
Date Fri, 31 Jan 2014 21:28:17 GMT
On Fri, Jan 31, 2014 at 1:13 PM, Martin Georgiev <mgeorgiev@utexas.edu> wrote:
> On Fri, Jan 31, 2014 at 2:58 PM, Andrew Grieve <agrieve@chromium.org> wrote:
>> Ha! Well that's pretty clear. :) I don't think having JS generate it is a
>> good idea then.
>
> It is not. You as an app developer do not control who puts where their JS.
>

Remember, we're not App Developers, we're framework developers.  Our
users are app developers, usually novice ones who know nothing about
security, and do stupid things like include random JS from anywhere on
the web.  These are the same people who do really stupid things like
publish apps with practically no whitelist.

This exercise is about adding a blade guard to our circular saw.  Our
users can still cut their hands off by being stupid, but it should be
obvious that's what they're doing.

Mime
View raw message