Proposal for reducing covert sharing of UA state.

An attempt has been made to outline a proposal for reducing the risk of covert sharing of the UA state, and although it needs a lot more work, it may be of interest for discussions this week.  See: http://www.w3.org/community/pua/wiki/Draft

In summary the proposal suggests extensions that would allow web workers to receive user input via messages posts, and to post changes back to the DOM.  It also proposes that a declarative markup mechanism be added for creating web works so that a document with JS disabled or restricted could still implement page logic in web workers.  To reduce the risk of covert sharing of UA state it is proposed to add a document 'Private' JS context that limits access to back channels yet could still have DOM access to implement rich applications.

While this would not eliminate fingerprinting issues, it would reduce the fingerprint surface, and allow a line to be drawn between private UA presentation state and state shared with the web.

These extensions may have some value for designing secure content because a JS driven page could be implemented without the document JS context enabled which would reduce many UI redressing risks.

I would also like to explore possible benefits for accessibility that could flow from webpage designs that separate page logic into web workers and that use messages to receive input from the webpage and to post changes back.

cheers
Fred

 		 	   		  

Received on Tuesday, 30 October 2012 15:28:50 UTC