Re: Isolating Web apps (was: Making Web Apps first class citizen)

On Friday, March 8, 2013 at 5:57 PM, Dominique Hazael-Massieux wrote:
> Le vendredi 08 mars 2013 à 17:51 +0100, Tobie Langel a écrit :
> > > The threat I'm thinking of is being tracked across many other services
> > > (from the same company or not) when I stay logged in into a service
> > > (Facebook, twitter, google) because I use their associated tools on a
> > > regular basis.
> >  
> > How does not being logged in prevent you from being tracked?
>  
> Sorry, my language was sloppy; it prevent from tying my activities to my
> account on the said service. It still allows tracking me anonymously for
> sure (although DNT aims at reducing that risk).

How so? What prevents the service from having placed a cookie with the same unique identifier on both the app and browser? Granted you've logged in at least once on both.
> > Agreed password handling would be nice, though this has to be at the
> > OS level rather than at the UA level for the scenarios described here.
>  
> You mean for native apps? or for "Web apps as first-class citizens"? For
> the latter, I would assume they would still be run by the UA one way or
> another (but that might be too strong an assumption to make, I realize).

I find these different levels of inception terribly confusing myself.  
> > Browserid needs more traction before it can be considered as a serious alternative login solution. It not there yet.
>  
> Right, but any new solution we could dream up in this space is even
> further away to be there :)

Untrue. Shared cookie jars already exist as a solution today.
> Looking at the SysApps runtime draft,
> http://runtime.sysapps.org/#data-isolation

I'm still unconvinced this is truly mitigating privacy risks. I'm however absolutely convinced it is greatly damaging to the user experience.
> and http://runtime.sysapps.org/#navigation are relevant.

--tobie

Received on Friday, 8 March 2013 17:14:33 UTC