W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2015

Re: In what circumstances is "delayed execution" acceptable on the web?

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 12 Nov 2015 19:33:15 -0800
Message-ID: <CABkgnnU+WkVSZUkvtF4RZ+FXZmSHKad+AnVExXNbT9hFYgwbVg@mail.gmail.com>
To: Jeffrey Yasskin <jyasskin@google.com>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Jake Archibald <jakearchibald@google.com>, WebAppSec WG <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>
On 12 November 2015 at 18:31, Jeffrey Yasskin <jyasskin@google.com> wrote:
> Showing "https://foo.com/, https://bar.com/, and https://baz.com/ want
> to upload data" when you arrive at a new network could be
> non-interrupty enough

Honestly, I think that we've failed if we have to pull out the
security analogue of Deus Ex Machina in any situation here.  There is
no such thing as non-interrupty in any situation other than those
where there is an *expectation* for the question.

That's not saying that you couldn't build the hooks that would allow a
user to control this, we should do that.  Or that we shouldn't provide
some way of ensuring that the site remain accountable to the user in
some way.  To that end, some visible indication that background
activity is ongoing is a fine idea.  But anything that involves modal
user interaction is right out in my opinion.
Received on Friday, 13 November 2015 03:33:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:52 UTC