W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [WebSQL/IndexedDB] Privacy issues in the wild

From: <Frederick.Hirsch@nokia.com>
Date: Fri, 24 Sep 2010 01:51:42 +0200
To: <jorlow@chromium.org>
CC: <Frederick.Hirsch@nokia.com>, <w3c@nathankitchen.com>, <public-webapps@w3.org>
Message-ID: <68A5EE74-89B7-4E79-B114-712801272EE7@nokia.com>
Jeremy


http://dev.w3.org/html5/webstorage/#user-tracking and http://dev.w3.org/html5/webdatabase/#user-tracking already addresses EXACTLY this.  I don't think there's anything to do from a spec standpoint.

It doesn't address it from the end-user perspective . The spec says "There are a number of techniques that can be used to mitigate the risk of user tracking", thus if nothing is implemented the potential end-user concern remains.

More could be done in the specification by making certain techniques mandatory to implement to help users avoid such tracking. Whether that is appropriate or would be effective is a decision to be made (or already has been).

It is useful that the issue and potential techniques are mentioned. Maybe at some point threats and countermeasures need to be reviewed with the various "HTML5" specifications considered together.

regards, Frederick

Frederick Hirsch
Nokia



On Sep 8, 2010, at 5:51 AM, ext Jeremy Orlow wrote:

On Tue, Sep 7, 2010 at 7:51 PM, Nathan Kitchen <w3c@nathankitchen.com<mailto:w3c@nathankitchen.com>> wrote:
Hi all.

Stumbled across this article on Ars Technica regarding the abuse of the WebSQL spec. I thought I'd share it here for a couple of reasons:

 1.  Someone might want to point out that it's part of the Offline Storage Spec, not strictly HTML5.

HTML5 is a buzz word.  Like AJAX or LAMP.  Very few people in this world (should) care about precisely what spec something came from.

 1.  Security implications may inform some aspects of the spec.

http://dev.w3.org/html5/webstorage/#user-tracking and http://dev.w3.org/html5/webdatabase/#user-tracking already addresses EXACTLY this.  I don't think there's anything to do from a spec standpoint.

Article: Advertisers get hands stuck inside HTML5 database cookie jar (http://arstechnica.com/apple/news/2010/09/rldguid-tracking-cookies-in-safari-database-form.ars)

Thanks.

Nathan
Received on Friday, 24 September 2010 00:11:25 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT