- From: Wendy Seltzer <wseltzer@w3.org>
- Date: Thu, 12 Nov 2015 20:34:46 -0500
- To: WebAppSec WG <public-webappsec@w3.org>
On 11/12/2015 12:48 PM, Martin Thomson wrote: > On 12 November 2015 at 01:40, Jake Archibald <jakearchibald@google.com> wrote: >> The goal here is to remove the failures of the lie-fi (and offline) case >> without impacting the perfect connectivity case. Requiring an opt-in browser >> level permission to let a user send an email would be a big user experience >> regression in the perfect connection case. > > > If the concerns are largely due to network moves, then isn't this a > matter of identifying [*] when these secondary actions are permitted? > I think that the major risk occurs when there is both a) a delay > between trigger and action and b) a change in circumstance. > > I don't think that we should be overly concerned about the constant > shift between WiFi and cellular connections for a device that happily > flip-flops between the two. We might be concerned about ensuring that > what happens at home does not accidentally propagate to the workplace > (and vice versa). Yes, given different sorts of network rules and monitoring, the home-workplace switch sounds like a real issue. If we don't give users hints that this persistent network traffic is possible, and switches to block it, some will likely wind up feeling betrayed by their user-agents -- even if none of the sites was doing anything actively malicious. I wonder if delay alone might be enough to trigger concern, such as allowing more time for intrusive data-gathering about the user's activities. Do browsers need a "pause/stop all network activity" button? --Wendy > > [*] I used "identify" advisedly, noting that it isn't always possible > for a browser to identify it's own network situation reliably. > Whatever solution we come up with here needs to account for that fact > as well. > -- Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office) Policy Counsel and Domain Lead, World Wide Web Consortium (W3C) http://wendy.seltzer.org/ +1.617.863.0613 (mobile)
Received on Friday, 13 November 2015 01:34:50 UTC