Privilege sep in HTML5:
1. What was the most significant lesson you learned from the paper?
2. What was the weakest/most questionable part(s) of the paper or how could the paper be improved?
3. The paper describes how to provide privilege separation for HTML5 applications (i.e., web applications that run on the browser).  Why would we want to use privilege separation in these applications, given that they are already sandboxed by the browser?

Securing the Tangled Web:
4. What was the most significant lesson you learned from the paper?
5. Why didn't they just use a template engine that applies contextually auto-escaping by default, but allow the programmer to turn off auto-escaping for specific values where needed?  In what way would that be worse?

6. Optional: What topic would you most like to see discussed in class, or question you would most like to have answered, if any?