- From: Tobie Langel <tobie@w3.org>
- Date: Fri, 8 Mar 2013 17:51:20 +0100
- To: Dominique Hazael-Massieux <dom@w3.org>
- Cc: Frederick.Hirsch@nokia.com, public-closingthegap@w3.org
On Friday, March 8, 2013 at 5:25 PM, Dominique Hazael-Massieux wrote: > Le vendredi 08 mars 2013 à 17:01 +0100, Tobie Langel a écrit : > > Could we list the possible threats to sharing cookie jars? Then see if > > isolation really mitigates them (or just shifts the problem > > elsewhere). > > The threat I'm thinking of is being tracked across many other services > (from the same company or not) when I stay logged in into a service > (Facebook, twitter, google) because I use their associated tools on a > regular basis. > How does not being logged in prevent you from being tracked? > > > Can we look into mitigation strategies that still enable this > > seamless experience without trading security/privacy for it? Are there > > other options, outside of sharing cookie jars, that enable this kind > > of seamless experience? > > > I think the scenario you describe has two main components: > * making it easy for a user to login seamlessly in a given service, > without having to retype passwords — the combination of passwords > handling by browsers, and technologies such as browserid can hopefully > solve a lot of the needs in this space Agreed password handling would be nice, though this has to be at the OS level rather than at the UA level for the scenarios described here. Browserid needs more traction before it can be considered as a serious alternative login solution. It not there yet. > * the interaction between a Web-app-in-browser and > Web-app-as-first-class-citizen (or two of the latter type); in > particular, how links are handled (when does a link end up where); and > that certainly seems like a critical technical piece that would need to > be handled (I'm not sure if SysApps has this in its plan) Absolutely. --tobie
Received on Friday, 8 March 2013 16:51:31 UTC