Re: Why ignoring unknown mandatory constraints is not stupid

On 11/19/13 10:56 AM, Jan-Ivar Bruaroey wrote:
>> Would it make sense to go with only optional constraints for the first
>> version?
>
> See, now how is that preferable to what I'm proposing?

Sorry, you were talking about the leaking problem (though I proposed a 
solution to that as well, the "user always gets a prompt"). Given the 
number of changes I have to concede what you are proposing as a 
possibility. I just think it would be unfortunate.

On the leak topic:

Having tried to perfect an algorithm that extorts as much info as 
possible, I should say there are limits to the info one can glean from 
one session, since the eventual appearance of a permission prompt if I 
prod too narrowly, is a giveaway.

The hacker's problem is that

   { mandatory: {foo: true, width: 1600 } }

failing, doesn't mean with certainty that the user doesn't have that 
resolution. So the only way to know for sure is to probe for "sets of 
interest" directly, or probe single constraints.

That said, a site that gets repeat visits will eventually get a full 
picture if they probe a different constraint each time, even if the user 
never permits anything. That still seems wrong.

.: Jan-Ivar :.

Received on Tuesday, 19 November 2013 17:01:09 UTC