W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: Cross-Site Requests, Users, UI (and What We're Trying to Fix)

From: Thomas Roessler <tlr@w3.org>
Date: Fri, 4 Jul 2008 10:37:06 +0200
To: Arun Ranganathan <arun@mozilla.com>
Cc: public-webapps@w3.org, sunavad@windows.microsoft.com, zhenbin.xu@microsoft.com
Message-ID: <20080704083706.GN288@iCoaster.does-not-exist.org>

On 2008-07-03 12:49:51 -0700, Arun Ranganathan wrote:

> 2. "clean up" unsafe legacy mechanisms[2] as best as possible. 
> While user interface mechanisms may help to generally inform the
> user and customize their web experience (e.g. stopping third
> party Cookies, etc.), "STOP | CONTINUE" type messages affiliated
> with APIs such as XMLHttpRequest (with AC) may be misleading in
> this context, since sites that wish to exchange data can use any
> number of mechanisms[1] on the web today and not inform the user.

Based on what the WSC WG has heard from various studies and
experience out there, I'd also suspect that kind of message to be
ineffective -- either, they are going to be annoying enough that
users will clamor for them to be hidden, or people will get used to

The annoyance factor might serve as a disincentive for sites to
actually use the feature; that's about the only effect one can
achieve that way.

> Of course, it is generally good behavior for sites that store
> user-private data to have privacy policies and inform the user
> about any sharing with other sites.

Indeed.  It might also be useful for user agent developers to do
some fresh thinking about privacy indicators, and how to tie them to
policies and underlying technologies.  Maybe an interesting topic
for some blue-sky thinking.

Thomas Roessler, W3C  <tlr@w3.org>
Received on Friday, 4 July 2008 08:37:42 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:11 UTC