W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2015

Re: In what circumstances is "delayed execution" acceptable on the web?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 13 Nov 2015 11:05:58 +0100
Message-ID: <CADnb78ioXjHdyYv36rd-PBnuc7eQLnjnL_k6mXakjbwvjsT3pA@mail.gmail.com>
To: Jake Archibald <jakearchibald@google.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, WebAppSec WG <public-webappsec@w3.org>
On Fri, Nov 13, 2015 at 10:38 AM, Jake Archibald
<jakearchibald@google.com> wrote:
> We considered this as the "wikileaks" case. A user who creates a wikileaks
> background sync at home may not want that to fire at work.
> Given that background sync is only available over https, there isn't the
> MITM worry in terms of observing data transmitted, but yeah the destination
> IP could be observed. However, the observer wouldn't be able to reliably
> tell posting to wikileaks apart from the user pressing "w" in their location
> bar, it autocompleting to wikileaks and triggering a preload request.

Can't they tell how much encrypted data was transmitted? And even
ignoring that you can tell it apart from a preload request as visiting
wikileaks.org also hits search.wikileaks.org at least.

Received on Friday, 13 November 2015 10:06:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:52 UTC