W3C home > Mailing lists > Public > public-geolocation@w3.org > December 2014

Re: Requiring Authenticated Origins for Geolocation API's: Open Call for Comments (deadline - February 1, 2015)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 3 Dec 2014 15:57:20 +0100
Message-ID: <CADnb78gr5H2-dkEPM6YSzW-TASvKAH2tO0tziGwnbj7H64jVVQ@mail.gmail.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: Chris Palmer <palmer@google.com>, "public-geolocation@w3.org" <public-geolocation@w3.org>, Mike West <mkwst@google.com>
On Tue, Dec 2, 2014 at 1:38 AM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
> It seems much more reasonable for them to expect that "goats.com" is
> going to broadcast the coordinates and other identifying information
> to any number of third parties without their knowledge or permission
> for hyperlocal marketing and worse. Possibly not even intentionally,
> the coordinates might simply end up in an address that a third party
> analytics script picks up. Users may also fail to realise the site's
> going to publically broadcast the coordinates as part of some user's
> profile status page.

At least this will result in distrust of "goats.com" whereas in the
scenario we are concerned with nobody would find out that credentials
have been shared with other parties (not until the next big leak
anyway). Being able to put trust or distrust in a domain name rather
than the network (which you cannot put trust in) is what this is
about. The user still gets to chose whether to trust the domain name,
but they no longer have to chose whether to trust a network we already
know they cannot trust.

Received on Wednesday, 3 December 2014 14:57:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:51:10 UTC