W3C home > Mailing lists > Public > public-pua@w3.org > October 2012

Proposal for reducing covert sharing of UA state.

From: Fred Andrews <fredandw@live.com>
Date: Tue, 30 Oct 2012 15:28:19 +0000
Message-ID: <BLU002-W62771CCBDC8108C1A3E15DAA620@phx.gbl>
To: "public-privacy@w3.org" <public-privacy@w3.org>, "public-pua@w3.org" <public-pua@w3.org>
An attempt has been made to outline a proposal for reducing the risk of covert sharing of the UA state, and although it needs a lot more work, it may be of interest for discussions this week.  See: http://www.w3.org/community/pua/wiki/Draft

In summary the proposal suggests extensions that would allow web workers to receive user input via messages posts, and to post changes back to the DOM.  It also proposes that a declarative markup mechanism be added for creating web works so that a document with JS disabled or restricted could still implement page logic in web workers.  To reduce the risk of covert sharing of UA state it is proposed to add a document 'Private' JS context that limits access to back channels yet could still have DOM access to implement rich applications.

While this would not eliminate fingerprinting issues, it would reduce the fingerprint surface, and allow a line to be drawn between private UA presentation state and state shared with the web.

These extensions may have some value for designing secure content because a JS driven page could be implemented without the document JS context enabled which would reduce many UI redressing risks.

I would also like to explore possible benefits for accessibility that could flow from webpage designs that separate page logic into web workers and that use messages to receive input from the webpage and to post changes back.


Received on Tuesday, 30 October 2012 15:28:50 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:36:06 UTC