From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ian Campbell <Ian.Campbell@citrix.com>
Subject: Re: Security policy ambiguities - XSA-108 process
 post-mortem
Date: Tue, 21 Oct 2014 13:32:46 +0100
Message-ID: <1413894766.23337.34.camel@citrix.com>
References: <21557.24142.873029.148164@mariner.uk.xensource.com>
	<21557.50031.783473.873273@chiark.greenend.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <Ian.Campbell@citrix.com>) id 1XgYcN-0002oi-FO
	for xen-devel@lists.xenproject.org; Tue, 21 Oct 2014 12:32:51 +0000
In-Reply-To: <21557.50031.783473.873273@chiark.greenend.org.uk>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Ian Jackson <ijackson@chiark.greenend.org.uk>
Cc: xen-devel@lists.xenproject.org
List-Id: xen-devel@lists.xenproject.org

On Thu, 2014-10-09 at 00:06 +0100, Ian Jackson wrote:
> 
>   Please provide URLs which are accessible and legible on mobile phone
>   browsers, which do not require cookies enabled to load, and which
>   are useable with text mode browsers, browsers which do not execute
>   Javascript, and with screen readers and other accessibility
>   software.  If the member of the Xen Project Security Team who
>   processes your application finds that their usual web browser does
>   not display the required information, when presented with the URLs
>   in your email, your application might be delayed or even rejected.

While I appreciate where you are coming from I don't think it is the
place of this policy to rail against the crapitude of the modern web and
try and enforce our own standards on things (much as I would like too).

I don't think it is unreasonable to expect that members of the security
team who typically run a browser with this crud disabled (which includes
myself) would load up their special sandboxed/throwaway browser with a
default config when faced with this sort of thing.

That said, the bits about accessibility seem less unreasonable, on the
basis that its not beyond the realms of possibility that someone
processing an application might not have the option of turning off a
screenreader etc.

Ian.