W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: [clear-site-data] clearing information about URLs visited

From: Mike West <mkwst@google.com>
Date: Mon, 14 Sep 2015 10:23:17 +0200
Message-ID: <CAKXHy=eBEvM_Lm5mi99bH2z0hL8TBAbm63grgmGcDHqORH3W2g@mail.gmail.com>
To: Nick Doty <npdoty@w3.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Sep 14, 2015 at 9:22 AM, Nick Doty <npdoty@w3.org> wrote:

> One motivating use case I've been thinking about recently is -- first in
> the current list -- logging out of your webmail or social network. Here's a
> version of this: a doctor uses their laptop at home to check their work
> email, which includes updates on their patients. When the doctor dutifully
> logs out of the webmail site, it would be preferable if any of the
> information in those emails was cleared locally, so that if someone else
> used the device, or if the device were lost or stolen, sensitive health
> information wouldn't be easily accessible.

This use-case is indeed the motivating factor from my perspective, so I
hope we can do a good job of serving it.

> My concern is that the list of 8 data items in
> https://w3c.github.io/webappsec/specs/clear-site-data/#goals doesn't
> cover all the stored sensitive information. For example, a doctor might
> open a particular message with a URL that includes the patient's name or
> medical record number; or the title of a page might include the subject
> line of a message that includes the patient's name or diagnosis. Browsers
> typically cache not just the resources, but the URLs visited and their
> titles.

I hope that this remains out of scope for this spec. I think it's worth
thinking about what we could do to allow a site to remove more traces of
itself, but I think that there's a pretty big jump between clearing the
kinds of data that the site theoretically already has control over (either
directly via JavaScript interfaces, or indirectly via headers which control
cache timeouts) on the one hand, and data which traditionally has been out
of their control on the other (history, bookmarks, passwords, etc).

I could imagine ways in which we could implement the latter set of things,
but it would almost certainly require user involvement in one way or
another. As I noted in the "remnants" section you referenced, it's not
clear to me that we can do a good job of going back and erasing data in a
reasonable way. The better way of offering this functionality to users is
through education regarding the browsing features that serve the use case:
incognito/private mode, etc. is well-scoped to solve this problem.

Could Clear Site Data include an additional parameter for browsing history?
> That would be URLs visited and associated metadata; it could be limited to
> certain sections of a site, but I'm not sure that level of complexity is
> necessary. Or is this something for the proposed Auto-Private Browsing Mode
> instead?

As folks have noted in the PING thread on the topic, it's not clear that
removing browsing history is a reasonable thing to offer to websites.

Received on Monday, 14 September 2015 08:24:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:51 UTC