- From: Lukasz Olejnik <notifications@github.com>
- Date: Tue, 19 Jun 2018 15:17:29 +0000 (UTC)
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/284/398437072@github.com>
Hi, Thanks for reaching out so quickly. Let me provide an initial security and privacy assessment. I see a number of possible misuses on the horizon. **Security.** This addition changes the Notification model to enable bi-directorial communication. It is not a problem in itself, but the possible risks are tricking users into doing unwanted things, and the "best" idea for a misuse may be in phishing. In other words: - will the users know what is the nature of the notification? - how will the users see the difference between replying to an app notification and possibly to a remote server? - how happy will be web browsers/OSs with users being able to interact with a website-controlled UI like that, that is nonetheless being displayed as a standard message? **Privacy** Tracking is the simplest concern, as users will have it more "simple" to interact, and so at least data such as IP changes (when roaming) may pop in Also, what with existing permissions to display notification: are they retained when this feature arrives? So we've got an interesting case in terms of security, privacy, and UI. Ps.cAn upside upside of this additional UI change is that it may enable a truly affirmative consent for private data processing! That's the situation when the user would need to type some confirmations literary (notification with text "do you agree to ...", answer: user-typed). I'm actually wondering whether browser permissions should not consider going into this particular direction... ;) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/284#issuecomment-398437072
Received on Tuesday, 19 June 2018 15:17:51 UTC