- From: Guilherme Hermeto <gui.hermeto@gmail.com>
- Date: Thu, 3 Aug 2017 00:11:54 -0700
- To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Cc: ietf-http-wg@w3.org
- Message-ID: <CALf91EUgbLrCA-nxsBRvOKV_b40mncXTNrpSeKfiL0bTyqEObQ@mail.gmail.com>
On Thu, Aug 3, 2017 at 12:02 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > > On 03/08/17 07:34, Guilherme Hermeto wrote: > > Browsers ask for the user permission to use the Gelolocation API and even > > though the user gives the consent once, some clients keep tracking the > user > > for long after. So the potential for abuse already exists in the client. > It > > isn't being introduced on this proposal. > > I don't see that as a good argument for increasing the > potential for abuse. That seems like making an attack > surface bigger, which'd normally be regarded as a bad > plan. > > Separately, as a happy NoScript user, I'd also prefer > to not have yet another attack vector to have to worry > about. > > S. > > > First, I really admire that you can live these days NoScript... But going back to the issue in hand, as your client gives you the option to block script, and to block cookies, it must also give you the option block Geolocation. As I mentioned in my previous message, like a SetCookie that is initiated by the server, the client must make the final decision if the data is sent to server or not. Btw, when I mentioned abuse, I meant it as privacy issue. And there are clearly privacy issues, just like it does with cookies. But can you really call it an attack?
Received on Thursday, 3 August 2017 07:14:13 UTC