Re: Opting in to cookies - proposal version 3 from Jonas Sicking on 2008-06-19 (public-webapps@w3.org from April to June 2008)

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 19 Jun 2008 14:19:13 -0700
To: Ian Hickson <ian@hixie.ch>
CC: Web Applications Working Group WG <public-webapps@w3.org>
Message-ID: <485ACD51.6080703@sicking.cc>

Ian Hickson wrote:
> On Thu, 19 Jun 2008, Jonas Sicking wrote:
>> And it's useful for pages that contain private information only when 
>> cookies are sent, but when no cookies are sent they only provide public 
>> information. I've given two examples of this in other threads:
>>
>> 1. A news site serving articles in different categories. When the user
>>    is logged in and has configured a home zipcode includes a category
>>    of local news.
>>
>>    Example: news.yahoo.com
>>
>> 2. A discussion board that allows comments to be marked private. Only
>>    when a user is logged in and has access to private comments are the
>>    private comments included, otherwise only the public comments are
>>    shown.
>>
>>    Example: buzilla.mozilla.com
> 
> For these, how would the site initating the connection to the data 
> provider server know whether or not to include the load-private-data flag?

The same way that it knows which URI to load. I expect that sites will 
document what resources can be loaded at what URIs, and with which query 
parameters as part of the API documentation. Whether private data is 
served can be documented at the same place. Along with information on 
what to do if access is denied for that private information.

> Surely if the server does anything with the load-private-data flag, then 
> it is fundamentally as vulnerable as if we didn't do any of this.

Yes, this is about reducing likelyhood that things go wrong, not 
eliminating it as that seems impossible.

> This 
> only helps with servers that have same-domain pages that accept cookies, 
> but have no cross-domain pages that accept cookies, ever (since if any of 
> the cross-domain pages accept cookies, then our initial assumption -- that 
> the site author makes a mistake and his site reacts to cookies in 
> third-party requests by doing bad things -- means that he's lost).

How so. Sites that have a combination of private and public data can, 
and hopefully will, only set the Access-Control-With-Credentials header 
for the parts that serve private data. It needs to apply different 
opt-in policies here anyway since it needs to ask the user before 
sharing any of his/her data.

/ Jonas

Received on Thursday, 19 June 2008 21:19:17 UTC