- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 8 Sep 2010 10:16:09 -0700
- To: Nathan Kitchen <w3c@nathankitchen.com>
- Cc: public-webapps@w3.org
On Tue, Sep 7, 2010 at 11:51 AM, Nathan Kitchen <w3c@nathankitchen.com> wrote: > Hi all. > Stumbled across this article on Ars Technica regarding the abuse of the > WebSQL spec. I thought I'd share it here for a couple of reasons: > > Someone might want to point out that it's part of the Offline Storage Spec, > not strictly HTML5. > Security implications may inform some aspects of the spec. > > Article: Advertisers get hands stuck inside HTML5 database cookie > jar (http://arstechnica.com/apple/news/2010/09/rldguid-tracking-cookies-in-safari-database-form.ars) For what it's worth, we have been discussing attacking this from two directions in the mozilla implementation of IndexedDB: 1. We're going to prompt the user before allowing any databases to be created, this both makes it easy for a user to prevent tracking by simply ignoring requests to create databases (or explicitly denying them). It also creates a user experience that ad providers often doesn't want to create, giving them incentive to use other technologies instead 2. We've talked about putting restrictions on usage of IndexedDB inside cross-origin iframes. The simplest restriction would be to simply disallow IndexedDB to be used inside such iframes. This makes it impossible for ad networks to track you across sites using an iframe pointing to domain controlled by the ad network and which handles IndexedDB interactions. / Jonas
Received on Wednesday, 8 September 2010 17:16:59 UTC