W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [WebSQL/IndexedDB] Privacy issues in the wild

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 8 Sep 2010 10:16:09 -0700
Message-ID: <AANLkTimow4pGyxGnZtRSvxzgWSGZjKswS-vtTBkYoRRf@mail.gmail.com>
To: Nathan Kitchen <w3c@nathankitchen.com>
Cc: public-webapps@w3.org
On Tue, Sep 7, 2010 at 11:51 AM, Nathan Kitchen <w3c@nathankitchen.com> wrote:
> Hi all.
> Stumbled across this article on Ars Technica regarding the abuse of the
> WebSQL spec. I thought I'd share it here for a couple of reasons:
>
> Someone might want to point out that it's part of the Offline Storage Spec,
> not strictly HTML5.
> Security implications may inform some aspects of the spec.
>
> Article: Advertisers get hands stuck inside HTML5 database cookie
> jar (http://arstechnica.com/apple/news/2010/09/rldguid-tracking-cookies-in-safari-database-form.ars)

For what it's worth, we have been discussing attacking this from two
directions in the mozilla implementation of IndexedDB:

1. We're going to prompt the user before allowing any databases to be
created, this both makes it easy for a user to prevent tracking by
simply ignoring requests to create databases (or explicitly denying
them). It also creates a user experience that ad providers often
doesn't want to create, giving them incentive to use other
technologies instead

2. We've talked about putting restrictions on usage of IndexedDB
inside cross-origin iframes. The simplest restriction would be to
simply disallow IndexedDB to be used inside such iframes. This makes
it impossible for ad networks to track you across sites using an
iframe pointing to domain controlled by the ad network and which
handles IndexedDB interactions.

/ Jonas
Received on Wednesday, 8 September 2010 17:16:59 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT