Re: Proposal for incorporating explicit intent invocation into the object literal constructor from Greg Billock on 2012-04-05 (public-web-intents@w3.org from April 2012)

From: Greg Billock <gbillock@google.com>
Date: Thu, 5 Apr 2012 15:42:41 -0700
To: WebIntents <public-web-intents@w3.org>
Message-ID: <CAAxVY9ch1ex1PhV7Q4yFmxxsZn6wQ24HzRGPrtHZvTpB-JeRgw@mail.gmail.com>

On Thu, Apr 5, 2012 at 3:25 PM, Charles Pritchard <chuck@jumis.com> wrote:
> On 4/5/2012 3:10 PM, Greg Billock wrote:
>>
>> The expected User Agent behavior is that if this "service" attribute
>> is present, the picker SHOULD NOT be displayed (although the User
>> Agent is not prohibited from providing the user a way to reroute such
>> calls, even though they are marked explicit). Instead, the service url
>> SHOULD be loaded directly to handle the intent.
>>
>> The User Agent MAY ask the user if they wish to install this service,
>> just like for any other visit of the page, but SHOULD NOT do so
>> automatically.
>>
>> --------------
>> Another question: I'd pondered putting "MUST NOT" instead of "SHOULD
>> NOT" in the last sentence about automatic installation. I'm worried
>> that this might be a super-cookie, so I think it is probably a bad
>> idea, but on the other hand, I don't want to restrict user agents too
>> much, as automatic installation may be a really good UI strategy.
>
>
> All Intents may encounter this issue: an Intent may open up a webpage that
> contains additional intent registrations.
> Explicit intents are not necessarily "installed"; they're just kept around
> while the caller is active.
>
> We ought to distance "installation" from explicit invocation.
>
> What's the concern about super-cookie exploits? Explicit invocation seems
> like it'd just rely on applicationCache for speed.

It's not a powerful super-cookie, but if the user agent auto-installs
the service, and then the user clears history, this is a piece of
history that doesn't get cleared. That's not really easy to exploit,
but, for instance, a timing attack could potentially reveal such a
piece of history, given the practice of explicit intents not involving
the picker.

I'm not sure a 1-bit super-cookie is worth worrying about, given the
availability of 1-bit fingerprints in the platform. Perhaps that's not
the only attack opportunity, though.

> It's possible that a UA will prompt a user when launching an Intent anyway:
> UAs like FF have prompted users to accept applicationCache and/or local
> storage.

Correct. Nothing here prevents the UA from doing that, which would
make it a partial-bit super-cookie.

> -Charles
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

Received on Thursday, 5 April 2012 22:43:11 UTC