W3C home > Mailing lists > Public > public-web-intents@w3.org > July 2012

Re: Explicit intents privacy concern

From: Greg Billock <gbillock@google.com>
Date: Mon, 23 Jul 2012 13:58:45 -0700
Message-ID: <CAAxVY9cyqU6m2Byj36AczdesZGfGbME48SR7r38NeSUJEwi5QQ@mail.gmail.com>
To: Frederick.Hirsch@nokia.com
Cc: paulkinlan@google.com, public-web-intents@w3.org
Sure, but the attacker here is the client site -- which by definition
already has the data. The point being, if that site is hostile, the
data is already compromised before an intent is ever invoked.

On Mon, Jul 23, 2012 at 1:29 PM,  <Frederick.Hirsch@nokia.com> wrote:
> Yes, the major concern is that the data reaches a site without user consent or involvement.
>
> The approach discussed in the face - face, the "speed bump" , is not to pass the data with this initial connection, allow a user to go "back" without sharing data
>
>
> regards, Frederick
>
> Frederick Hirsch
> Nokia
>
>
>
> On Jul 23, 2012, at 2:20 AM, ext Paul Kinlan wrote:
>
>> My general thought would be that this is mitigated by the fact that we can deliver data asynchronously, and if required get the users approval to let the data in to the service app.
>>
>> I think some of the worry is that I am don't have the service installed, because I don't know where the data is going when I click on the button in a client page, it might open up Facebook or G+ and I might find that my data being visible to these abhorent, it might be worse to the user if the service invoked is a site that is completely untrusted.
>>
>> P
>
Received on Monday, 23 July 2012 20:59:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 23 July 2012 20:59:13 GMT