- From: Kepeng Li <kepeng.lkp@alibaba-inc.com>
- Date: Tue, 19 May 2015 12:10:40 +0800
- To: Nicholas Doty <npdoty@ischool.berkeley.edu>
- CC: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
- Message-ID: <D180D661.9DED%kepeng.lkp@alibaba-inc.com>
>For example, cross-origin data leakage is one of the considerations there. OK, I got it. If there is data leakage, it will also cause privacy issues. Maybe we can change the sentence a little bit to reflect this: 5.3 Cross-origin data leakage Attackers can determine whether some cross-origin resource has certain content by attempting to load it with a known digest, and watching for load failures. If the load fails, the attacker can surmise that the resource didn’t match the hash, and thereby gain some insight into its contents. This might reveal user privacy, for example, whether or not a user is logged into a particular service. Thanks, Kind Regards Kepeng Li Alibaba Group 发件人: Nicholas Doty <npdoty@ischool.berkeley.edu> 日期: Tuesday, 19 May, 2015 9:40 am 至: Li Kepeng <kepeng.lkp@alibaba-inc.com> 抄送: "public-privacy (W3C mailing list)" <public-privacy@w3.org> 主题: subresource integrity (was Re: PING call) On May 18, 2015, at 5:20 AM, Kepeng Li <kepeng.lkp@alibaba-inc.com> wrote: > >> 2. Privacy review request from Web Applications Security WG concerning >> Subresource Integrity [1] > > It seems that there are no privacy considerations in this document. > > Should we add something? There is a Security Considerations section that is likely relevant to the things we typically review: http://w3c.github.io/webappsec/specs/subresourceintegrity/#security-consider ations-1 For example, cross-origin data leakage is one of the considerations there. I wonder if authors should typically write these as "Security and Privacy Considerations" since they so often overlap. npd
Received on Tuesday, 19 May 2015 04:11:33 UTC