search

WICG / background-sync

A design and spec for ServiceWorker-based background synchronization
https://wicg.github.io/background-sync/spec/
Apache License 2.0
641 stars 83 forks source link

Add a Security Considerations section. #173

Closed mugdhalakhani closed 4 years ago

mugdhalakhani commented 4 years ago

The spec already has various mitigations for security concerns baked in, this ties it all together and links to them from one central place.

This addresses Issue #170. @jakearchibald PTAL.

othermaciej commented 4 years ago

My main goal is to ensure we don't unnecessarily resist making requirements normative if making them normative convinces @othermaciej to ship this in Safari and the normative requirements don't prevent anything we actually think is a good idea.

Just to be clear, I'm not promising any particular Security Considerations changes would convince us to implement or ship this in Safari. We still share Mozilla's privacy concerns, for one thing. But we'll re-review the spec once it's updated.

More broadly, though, I do think that behavior which seems needed for safety should be normative, and while UA flexibility is nice, it's not necessary if anyone would actually implement the imagined different behavior.