- From: Pete Snyder <psnyder@brave.com>
- Date: Wed, 10 Apr 2019 11:36:47 -0700
- To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
(Separate thread) At the AC meeting, Jeff challenged us to suggest ideas that would improve privacy on the web, and not just prevent new standards from making it worse. I think this is a great idea. Here are some large, partially thought through ideas, that I’d like to suggest for more discussion: 1) Determine all rarely used browser functionality (difficult, but I have ideas!), any for any functionality behind a certain threshold, put it behind a permission prompt and / or block it until there is a user gesture in the frame and / or block access to it from 3p code. 2) Use an APIs similar to Trusted Types (e.g. strings that know they’re different from other strings, or kinda-sorta a facsimile of taint tracking) to prevent values from storage syncs from moving across frame boundaries / network sinks. 3) Flip the script on iframes; define a restrictive default feature-policy on all 3p frames. 4) Add idea of feature policy for scripts, define default restrictive feature policy for scripts, make this the default for sites taking advantage of Y new nice feature (HTTP3 / QUIC, etc.) Again, I’m sure all partially half-through through, and could use some humbling and taking down a peg, but wanted to start discussion to answer Jeff’s “call”. Pete
Received on Wednesday, 10 April 2019 18:37:24 UTC