- From: Greg Billock <gbillock@google.com>
- Date: Fri, 20 Jul 2012 14:37:55 -0700
- To: WebIntents <public-web-intents@w3.org>
- Message-ID: <CAAxVY9c7fwi2W3QgFTkQJ6c8KNK=YohOh5Ucr_Jm9k65teae1w@mail.gmail.com>
I read the minutes, but I don't understand the threat identified with explicit intents. Here's my perception: 1. The user is on a web page, which already has some private information on it. (That is, that page is already a trustee.) 2. The page invokes an explicit intent, by means of which it passes some private data to a third party. I agree this is a new way for a page to pass private information to a third party, but there's no new privacy vulnerability here -- the page could just as well link to the site they are passing private data through, passing it through HTTP args, or do any number of other unmediated requests to get the UA to send that data to the third party. If the UA is uncooperative, it can pass it out-of-band in the backend. That is, if the trustee page wants to pass private data to a third party, *they are already a trustee*! The data is already under their control by definition, and there is nothing the UA can do in-band to restrict their ability to get it to a third party. I don't see this as an issue. -Greg
Received on Friday, 20 July 2012 21:38:22 UTC