W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2015

Re: In what circumstances is "delayed execution" acceptable on the web?

From: Jeffrey Yasskin <jyasskin@google.com>
Date: Thu, 12 Nov 2015 10:55:29 -0800
Message-ID: <CANh-dXnZ8J5Zsu1E-=fFq13vq8idkbEHLSa3+bWS+_-=bbpJ9A@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Jake Archibald <jakearchibald@google.com>, WebAppSec WG <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>
On Wed, Nov 11, 2015 at 2:35 PM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
> On Wed 2015-11-11 05:11:53 -0500, Jake Archibald wrote:
<snip>
>> and scupper one of the primary use-cases of background sync (queuing
>> things to send while offline).
>
> queuing something to send while offline is (or should be?) an explicit
> action taken by the user, with clear intent; isn't that effectively an
> "opt-in"?  Why would this be an action/state/permission that is hidden
> from the user?

As Jake said, for background sync, it usually will be based on an
explicit gesture the user makes on a page. However, the browser
doesn't know the difference between a "send later" gesture and a
"click link" gesture, so if the browser wants to make sure the user's
aware they're granting permission, the browser would need to pop up an
explicit question. Then we have 2 problems: 1) if a user almost always
accepts permission prompts, they may stop reading the prompts before
saying 'yes', hurting privacy overall, and 2) the question needs to be
phrased in a way the user understands. e.g. "Can this site interact
with the network later?" will miss users who a) don't know what a
network is, b) don't know that your network reveals your location, c)
don't know that a network can figure out what sites you're using over
it, d) don't understand what "later" could mean, etc.

Overall, "get the user's explicit permission" is much more complicated
than it sounds, and folks who ask for it need to try to answer the
questions it raises.

Jeffrey
Received on Thursday, 12 November 2015 18:56:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:16 UTC