- From: Nottingham, Mark <mnotting@akamai.com>
- Date: Sat, 22 Nov 2014 19:57:23 -0600
- To: Brian Smith <brian@briansmith.org>
- CC: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Catching up… > On 11 Nov 2014, at 12:26 pm, Brian Smith <brian@briansmith.org> wrote: > > On Mon, Nov 10, 2014 at 3:53 PM, Brad Hill <hillbrad@gmail.com> wrote: >> I guess that is a (likely unintended) consequence of the feature. > > I also assume that if it is a consequence, it is unintended. > >> Adversarial blocking tools like this are always going to lead to an >> arms race / cat-and-mouse / pick your metaphor for neverending >> game-theoretic churn. Once there's enough money at stake, the >> decision to take the risk will probably be made, with or without good >> mitigation technologies available. Do we want to sacrifice the ability >> to more easily partition applications in to securable components for a >> position in that battle that will surely be overrun anyway? > > I think it is good to recognize the issue, and ask for feedback from > people on the pro-tracking-protection side. I forwarded part of the > thread to the relevant people at Mozilla. It may be the case that > there is a way to avoid the negative unintended consequence without > sacrificing the security benefits. At least, I think that should be a > goal. +1 In particular, it’s concerning that we’re creating a new artefact on the Web that has all of the properties of an origin, but it can’t be discriminated from other origins using the same (scheme, host, port) tuple — as most things do. Cheers, -- Mark Nottingham mnot@akamai.com http://www.mnot.net/
Received on Sunday, 23 November 2014 01:59:24 UTC