W3C home > Mailing lists > Public > public-privacy@w3.org > April to June 2019

Big PING Ideas

From: Pete Snyder <psnyder@brave.com>
Date: Wed, 10 Apr 2019 11:36:47 -0700
Message-Id: <FF2E5C9A-6B58-4DE4-960D-CDE823CECE07@brave.com>
To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
(Separate thread)

At the AC meeting, Jeff challenged us to suggest ideas that would improve privacy on the web, and not just prevent new standards from making it worse.  I think this is a great idea.  Here are some large, partially thought through ideas, that I’d like to suggest for more discussion:

1) Determine all rarely used browser functionality (difficult, but I have ideas!), any for any functionality behind a certain threshold, put it behind a permission prompt and / or block it until there is a user gesture in the frame and / or block access to it from 3p code.

2) Use an APIs similar to Trusted Types (e.g. strings that know they’re different from other strings, or kinda-sorta a facsimile of taint tracking) to prevent values from storage syncs from moving across frame boundaries / network sinks.

3) Flip the script on iframes; define a restrictive default feature-policy on all 3p frames.

4) Add idea of feature policy for scripts, define default restrictive feature policy for scripts, make this the default for sites taking advantage of Y new nice feature (HTTP3 / QUIC, etc.)

Again, I’m sure all partially half-through through, and could use some humbling and taking down a peg, but wanted to start discussion to answer Jeff’s “call”.

Pete
Received on Wednesday, 10 April 2019 18:37:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:49:37 UTC