W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2015

Re: In what circumstances is "delayed execution" acceptable on the web?

From: Wendy Seltzer <wseltzer@w3.org>
Date: Thu, 12 Nov 2015 20:34:46 -0500
To: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <56453E36.6030304@w3.org>
On 11/12/2015 12:48 PM, Martin Thomson wrote:
> On 12 November 2015 at 01:40, Jake Archibald <jakearchibald@google.com> wrote:
>> The goal here is to remove the failures of the lie-fi (and offline) case
>> without impacting the perfect connectivity case. Requiring an opt-in browser
>> level permission to let a user send an email would be a big user experience
>> regression in the perfect connection case.
> 
> 
> If the concerns are largely due to network moves, then isn't this a
> matter of identifying [*] when these secondary actions are permitted?
> I think that the major risk occurs when there is both a) a delay
> between trigger and action and b) a change in circumstance.
> 
> I don't think that we should be overly concerned about the constant
> shift between WiFi and cellular connections for a device that happily
> flip-flops between the two.  We might be concerned about ensuring that
> what happens at home does not accidentally propagate to the workplace
> (and vice versa).

Yes, given different sorts of network rules and monitoring, the
home-workplace switch sounds like a real issue. If we don't give users
hints that this persistent network traffic is possible, and switches to
block it, some will likely wind up feeling betrayed by their user-agents
-- even if none of the sites was doing anything actively malicious.

I wonder if delay alone might be enough to trigger concern, such as
allowing more time for intrusive data-gathering about the user's
activities.

Do browsers need a "pause/stop all network activity" button?

--Wendy

> 
> [*] I used "identify" advisedly, noting that it isn't always possible
> for a browser to identify it's own network situation reliably.
> Whatever solution we come up with here needs to account for that fact
> as well.
> 


-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
Received on Friday, 13 November 2015 01:34:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:16 UTC