- From: Rigo Wenning <rigo@w3.org>
- Date: Thu, 18 Oct 2012 12:36:22 +0200
- To: public-privacy@w3.org
- Cc: Adam Barth <w3c@adambarth.com>, Fred Andrews <fredandw@live.com>, "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Dear Adam, Brad, having specified a mechanism of policy violation reporting without having considered privacy is a problem. The current specification says in 4.11: == The report-uri directive specifies a URI to which the user agent sends reports about policy violation. == It goes on saying: == To send a violation report, the user agent must use an algorithm equivalent to the following: == The following algorithm disregards the user using the web application. It would be very easy to add a step that allows a decision by the user to send the report or not. This is what current operating systems do and I look forward to an argument on why this is omitted here. In light of DRM systems in Apps and the current discussions in media about mobile applications revealing data about the user, requiring a response on privacy is far from trolling. The issue may be big or not and I'm willing to participate in the TPAC session organized by Brad. But "phoning home" without the user knowing is a serious issue that is very specific to CSP. Can you elaborate how this is resolved in CSP other than "this is an implementation question"? IMHO because CSP creates a "phone home" feature, it should also address the consequences. Best, Rigo Wenning W3C Privacy Activity Lead On Wednesday 17 October 2012 16:02:13 Adam Barth wrote: > What you've written below is nonsense. Please stop trolling this > mailing list.
Received on Thursday, 18 October 2012 10:37:10 UTC