- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Thu, 21 Apr 2011 23:09:54 +0200
- To: "Tab Atkins Jr." <jackalmage@gmail.com>
- Cc: public-webapps <public-webapps@w3.org>
* Tab Atkins Jr. wrote:
>Please correct me if I'm missing something, but I don't see any new
>privacy-leak vectors here. Without Shared Workers, 3rdparty.com can
>just hold open a communication channel to its server and shuttle
>information between the iframes on A.com and B.com that way.
That does not seem to be the right way to think about privacy problems.
We know that you "can", in some sense, create cookies that are difficult
to delete through conventional means, like "Evercookie" does, but that's
not really relevant when discussing adding a .cookieLifetime("long") me-
thod that does the same things. For one thing, the former method relies
on very many old and complicated methods with known design flaws, the
other would be a new feature that accomplishes this easily by design.
(You would also seem to be mistaken; holding a connection does not help
if the two iframes cannot share the connection, and traditionally they
cannot do that reliably; the problem is rather a matter of one iframe
generating or obtaining a secret and getting the other iframe to learn
that same secret. As has been noted in the thread, that is possible to
some degree, but that is not much of a metric to judge a design.)
--
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Thursday, 21 April 2011 21:10:14 UTC