ietf
[Top] [All Lists]

Re: mail sandbox wall authority, inward and outbound

2000-05-11 16:10:02
Leonid,

Thanks for your addition:

6. A program wants to send a file to somewhere. Or any permanently stored
   information (like cookie but not limited).

Yes:

Browser operators may not want to send their files, recordings,
pictures, video, or other device inputs to arbitrary sites without
their explicit permission and direction. Therefore, browser
authors are encouraged to disallow the submission of forms
which include any kind of file upload by any means other than the
standard HTML operator-controlled buttons for form submission
without explicit instruction from the session operator to the
contrary. Accordingly, the size attribute, style sheets, and
document layers should be prevented from obscuring any kind
of file upload widget if they are capable of accepting a default
filename. Furthermore, just as the operator may take direct
action to initiate, terminate, review and edit recordings ... browser 
authors are encouraged to prevent HTML scripts from taking those and
similar actions, unless for example the operator has specifically
enabled such script actions with a security option. Even then,
such preferences may be specified by the operator to reset after
an interval or at the end of the browsing session. Finally, explicit
information should be provided by the browser to the operator to
insure that the operator is fully informed when files are being uploaded. 

Cheers,
James