W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: Fixing third party content

From: Craig Francis <craig.francis@gmail.com>
Date: Tue, 22 Mar 2016 18:52:51 +0000
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-Id: <57FFA593-A7AB-4CD1-8EC0-23828E55AA71@gmail.com>
To: Yoav Weiss <yoav@yoav.ws>
On 22 Mar 2016, at 12:37, Yoav Weiss <yoav@yoav.ws> wrote:

> FWIW, I totally agree that the way third party content is embedded today is troubling from both security and performance perspectives.




Thanks Yoav,

Unfortunately I don't have any contacts/documents at the moment (I'm working on it, and will welcome any suggestions from others).

The main things I am aware of include:

1) Accessing the Text Content of the page, just for context sensitive advertising (where read-only access should be good enough).

2) Clearly showing their advert (modal adverts will be covered later, along with iframes that can change their height).

3) Tracking of users (a separate discussion).

From a website owners point of view, the advertising company should not be doing anything else with my website... for example, replacing words on the page with links (or hover panels), or changing the words on the page, or reading CSRF tokens, or recording Session Cookies, or automatically redirecting my customer away to another website, etc.

At the moment Advertisers have had far to much control, and they have clearly abused that position, so if we want this relationship to work, they will need to accept some hard coded limits, otherwise Ad-Blockers will continue to be the solution (unfortunately).

Craig









> On 22 Mar 2016, at 12:37, Yoav Weiss <yoav@yoav.ws> wrote:
> 
> FWIW, I totally agree that the way third party content is embedded today is troubling from both security and performance perspectives.
> 
> Do you have any documents regarding which type of read access these ad providers require? Are you sure read access would satisfy their needs? Are ad providers unified regarding these requirements? 
> 
Received on Tuesday, 22 March 2016 18:53:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC