W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2015

Re: In what circumstances is "delayed execution" acceptable on the web?

From: Jake Archibald <jakearchibald@google.com>
Date: Fri, 13 Nov 2015 09:38:37 +0000
Message-ID: <CAPy=JopjzguToMZGYF26MM_o4Zp6K0b37pNLsrkufLf7O6sEfQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, WebAppSec WG <public-webappsec@w3.org>, Anne van Kesteren <annevk@annevk.nl>
On Thu, 12 Nov 2015 at 17:48 Martin Thomson <martin.thomson@gmail.com>
wrote:

> I don't think that we should be overly concerned about the constant
> shift between WiFi and cellular connections for a device that happily
> flip-flops between the two.  We might be concerned about ensuring that
> what happens at home does not accidentally propagate to the workplace
> (and vice versa).


We considered this as the "wikileaks" case. A user who creates a wikileaks
background sync at home may not want that to fire at work.

Given that background sync is only available over https, there isn't the
MITM worry in terms of observing data transmitted, but yeah the destination
IP could be observed. However, the observer wouldn't be able to reliably
tell posting to wikileaks apart from the user pressing "w" in their
location bar, it autocompleting to wikileaks and triggering a preload
request.

Both of these issues are solved by private browsing modes.
Received on Friday, 13 November 2015 09:39:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:16 UTC