Re: [Page Visibility] Spec -- privacy concern from Adam Shannon on 2011-05-19 (public-web-perf@w3.org from May 2011)

From: Adam Shannon <adam@ashannon.us>
Date: Wed, 18 May 2011 19:32:49 -0500
To: Jatinder Mann <jmann@microsoft.com>
Cc: "public-web-perf@w3.org" <public-web-perf@w3.org>
Message-ID: <BANLkTi=gxr9hOeeugyi1Gsaec+rV38Y3NA@mail.gmail.com>

For real-world practicality it seems to me that option #2 would be the
best. The users who care enough about it will change it, and I'm sure
organizations (EFF, etc.) could launch support to allow less-technical
users to change it also.

The page/user's privacy is some-what lessened, but the same basic
functionality can be achieved with today's technologies. So, if the
new API does provide a usable interface, and not just feature bloat,
(which I think it does by allowing applications to "idle", big for
performance gains), I would be opposed to leaving it out and force
extra effort onto developers down the line.

On Wed, May 18, 2011 at 18:48, Jatinder Mann <jmann@microsoft.com> wrote:
> To recap, the privacy concern is that web applications can better deterministically know whether you are viewing their content then they could have done before. Using window.onfocus and window.onblur already gives a website a good indication of the user presence. Page Visibility will give a slightly more accurate indication of user presence; Page Visibility will correctly return the User agent is visible in the case that it is not minimized and another application is in focus, whereas onfocus and onblur won’t.
>
> As discussed on today's call, our options are as so:
>
> (1) Decide that Page Visibility doesn’t significantly increase the privacy issue that is already present,
> (2) Allow User agents to specify a setting to disable Page Visibility APIs,
> (3) Page Visibility should be limited to same-origin unless specified via a meta-tag,
> (4) a combination of options 2 and 3.
>
> I would argue against option 3. The convention is to allow scripts added to a page via the script tag to have full access to properties on window/document; they are treated as if they were same origin scripts. For example, today a x-domain script added to a page has access to window.onfocus and window.onblur. Likewise, the convention is that same origin iframes have access to window/document and x-domain iframes do not. We should maintain that convention here.
>
> I recommend as a working group, we decide between option 1 or 2.
>
> Thanks,
> Jatinder
>
>
>



-- 
Adam Shannon
Web Developer
University of Northern Iowa
Sophomore -- Computer Science B.S.
http://ashannon.us

Received on Thursday, 19 May 2011 00:33:37 UTC