W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: Limiting requests from the internet to the intranet.

From: Oda, Terri <terri.oda@intel.com>
Date: Wed, 6 Jan 2016 14:04:28 -0800
Message-ID: <CACoC0R_xeJOk44-AVAGbtwDk_QfJzN1OxM_P39DHRy_aRX2tgg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Chris Palmer <palmer@google.com>, Richard Barnes <rbarnes@mozilla.com>, Erik Nygren <erik+w3@nygren.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Brian Smith <brian@briansmith.org>, Ryan Sleevi <sleevi@google.com>, Justin Schuh <jschuh@google.com>, Devdatta Akhawe <dev@dropbox.com>, Anne van Kesteren <annevk@annevk.nl>, lee@asgard.org
On Mon, Jan 4, 2016 at 11:44 AM, Mike West <mkwst@google.com> wrote:

> On Mon, Jan 4, 2016 at 8:11 PM, Chris Palmer <palmer@google.com> wrote:
>> So, how often does the Pebble-like scenario happen in practice? We'll be
>> able to get telemetry in the abstract, but Chrome at least does not measure
>> specific origins. So we're going to get an aggregate along the lines of "x%
>> ignored the dialog; y% said no; z% said yes", and we won't know what
>> percentage of the time saying Yes had been a good idea or served a real use
>> case.
> Based on the discussion at https://crbug.com/378566 and the
> conversation(?) at https://news.ycombinator.com/item?id=9210484, there
> are several large services using this kind of scheme, and innumerable
> small/enterprise versions of various sorts. I don't know how we'll get
> reasonable aggregate metrics beyond
> https://www.chromestatus.com/metrics/feature/timeline/popularity/530
> (which shows ~0.5% of page views being public sites which include private
> resources). Those numbers might be big enough for rappor
> <https://www.chromium.org/developers/design-documents/rappor> to help?
Just to add another data point: I know some of Intel's products use the
Pebble-like scenario and have been told that blocking would be a
significant problem for some of our groups.  It most recently came up in
discussions of RealSense 3d camera support, and I suspect some of the
projects involve relatively new tech hardware that doesn't yet have
standards for communication, and the teams involved were hoping to use web
APIs to make things easier for developers.

I can ask around internally for more information beyond "yes this is a
thing that we use and removing it would be a hardship" if people are
interested in more details.
Received on Wednesday, 6 January 2016 22:05:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:53 UTC