What's the rationale of moving security checks outside of normative requirements? #287
Comments
Check is present in normative section 6.2 Sensor |
|
Each condition of the security check used to be a RFC 2119 "MUST" requirement, they're now used as examples for something the user agent "can" do (whatever that means is up to interpretation, and it's arguably non-normative):
So there's a massive difference between the current state of things and what it used to be. I'm kind of surprised this actually needs to be stated. |
|
Can I ask for rationale for doing so, for example justified with some analysis? |
|
@alexshalamov can something be a conforming implementation of this spec if the checks shown are not routinely performed? |
|
For reference, here's what the security check previously looked liked: https://cdn.rawgit.com/w3c/sensors/29065ab/index.html#security-check It was normatively required as first step of https://cdn.rawgit.com/w3c/sensors/29065ab/index.html#update-latest-reading |
|
That was an oversight, thanks for reporting! In Chromium all these checks defined in conditions are implemented. We will make them MUSTs. |
|
I don't understand why you don't just roll these changes back instead of reworking it further. There are plenty of issues with this PR including now using normative keywords in informative sections, etc. |
My understanding of #280 is that previously normative security checks are now examples that user agents are free to implement. What's the rationale behind this? I can't find any documented reason to make these changes. This seems like it's going to hurt end user security, and make it harder for developers to build consistent experiences across user agents. And I'm not sure I understand what benefits there is to doing so. Where can I find the arguments behind these changes?
The text was updated successfully, but these errors were encountered: