Re: Geolocation header

On Thu, Aug 3, 2017 at 12:02 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
>
> On 03/08/17 07:34, Guilherme Hermeto wrote:
> > Browsers ask for the user permission to use the Gelolocation API and even
> > though the user gives the consent once, some clients keep tracking the
> user
> > for long after. So the potential for abuse already exists in the client.
> It
> > isn't being introduced on this proposal.
>
> I don't see that as a good argument for increasing the
> potential for abuse. That seems like making an attack
> surface bigger, which'd normally be regarded as a bad
> plan.
>
> Separately, as a happy NoScript user, I'd also prefer
> to not have yet another attack vector to have to worry
> about.
>
> S.
>
>
>
First, I really admire that you can live these days NoScript...

But going back to the issue in hand, as your client gives you the option to
block script, and to block cookies, it must also give you the option block
Geolocation. As I mentioned in my previous message, like a SetCookie that
is initiated by the server, the client must make the final decision if the
data is sent to server or not.

Btw, when I mentioned abuse, I meant it as privacy issue. And there are
clearly privacy issues, just like it does with cookies. But can you really
call it an attack?

Received on Thursday, 3 August 2017 07:14:13 UTC