W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2015

Re: In what circumstances is "delayed execution" acceptable on the web?

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 12 Nov 2015 09:48:27 -0800
Message-ID: <CABkgnnUresMgKtVLvYAF9jqr-tC+Rx8r0W=t0LXDGo2jH4yCJA@mail.gmail.com>
To: Jake Archibald <jakearchibald@google.com>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, WebAppSec WG <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>
On 12 November 2015 at 01:40, Jake Archibald <jakearchibald@google.com> wrote:
> The goal here is to remove the failures of the lie-fi (and offline) case
> without impacting the perfect connectivity case. Requiring an opt-in browser
> level permission to let a user send an email would be a big user experience
> regression in the perfect connection case.

If the concerns are largely due to network moves, then isn't this a
matter of identifying [*] when these secondary actions are permitted?
I think that the major risk occurs when there is both a) a delay
between trigger and action and b) a change in circumstance.

I don't think that we should be overly concerned about the constant
shift between WiFi and cellular connections for a device that happily
flip-flops between the two.  We might be concerned about ensuring that
what happens at home does not accidentally propagate to the workplace
(and vice versa).

[*] I used "identify" advisedly, noting that it isn't always possible
for a browser to identify it's own network situation reliably.
Whatever solution we come up with here needs to account for that fact
as well.
Received on Thursday, 12 November 2015 17:48:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:52 UTC