Re: Opting in to cookies - proposal version 3 from Ian Hickson on 2008-06-19 (public-webapps@w3.org from April to June 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 19 Jun 2008 09:42:57 +0000 (UTC)
To: Jonas Sicking <jonas@sicking.cc>
Cc: Web Applications Working Group WG <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0806190938350.13974@hixie.dreamhostps.com>

On Thu, 19 Jun 2008, Jonas Sicking wrote:
> 
> And it's useful for pages that contain private information only when 
> cookies are sent, but when no cookies are sent they only provide public 
> information. I've given two examples of this in other threads:
> 
> 1. A news site serving articles in different categories. When the user
>    is logged in and has configured a home zipcode includes a category
>    of local news.
> 
>    Example: news.yahoo.com
> 
> 2. A discussion board that allows comments to be marked private. Only
>    when a user is logged in and has access to private comments are the
>    private comments included, otherwise only the public comments are
>    shown.
> 
>    Example: buzilla.mozilla.com

For these, how would the site initating the connection to the data 
provider server know whether or not to include the load-private-data flag?

Surely if the server does anything with the load-private-data flag, then 
it is fundamentally as vulnerable as if we didn't do any of this. This 
only helps with servers that have same-domain pages that accept cookies, 
but have no cross-domain pages that accept cookies, ever (since if any of 
the cross-domain pages accept cookies, then our initial assumption -- that 
the site author makes a mistake and his site reacts to cookies in 
third-party requests by doing bad things -- means that he's lost).

> > This has one side-effect, which is that it doesn't work well with XBL 
> > or VBWG in environments where the XBL file (or VXML file) is 
> > customised to the user but accessed cross-site. Is that ok?
> 
> It doesn't "work well" in the sense that they don't work out-of-the-box. 
> It would be trivial to add a load-private-data pseudo attribute to the 
> <?xbl?> PI that sets the "with credentials" flag to true.
> 
> However I can't think of a situation where someone wants to load private 
> XBL bindings so I'm totally ok with it being a bit more hassle. It might 
> be a bigger deal for VXML, I don't know since I've not looked at that 
> spec.

Sounds fair to me. I'll add the attribute to XBL2 when it goes back to LC 
once implementations start, assuming we adopt this.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 19 June 2008 09:43:49 UTC