Explicit intents privacy concern

I read the minutes, but I don't understand the threat identified with
explicit intents. Here's my perception:

1. The user is on a web page, which already has some private information on
it. (That is, that page is already a trustee.)

2. The page invokes an explicit intent, by means of which it passes some
private data to a third party.

I agree this is a new way for a page to pass private information to a third
party, but there's no new privacy vulnerability here -- the page could just
as well link to the site they are passing private data through, passing it
through HTTP args, or do any number of other unmediated requests to get the
UA to send that data to the third party. If the UA is uncooperative, it can
pass it out-of-band in the backend. That is, if the trustee page wants to
pass private data to a third party, *they are already a trustee*! The data
is already under their control by definition, and there is nothing the UA
can do in-band to restrict their ability to get it to a third party.

I don't see this as an issue.

-Greg

Received on Friday, 20 July 2012 21:38:22 UTC