- From: Fred Andrews <fredandw@live.com>
- Date: Tue, 5 Feb 2013 00:12:35 +0000
- To: Behrang Saeedzadeh <behrangsa@gmail.com>
- CC: Rob Crowther <robertc@boogdesign.com>, "www-style@w3.org" <www-style@w3.org>
- Message-ID: <BLU002-W1613EF778E90A5F0DABAD6DAA000@phx.gbl>
Behrang, The UA is more than capable of blocking the JS threat so I do not believe this is an excuse to allowing leaks in new standards or for choosing a standard that depends on the sharing of potentially private state when there are technologically superior alternatives that can minimize the leaks. You might be interested in the work of the PUA CG to define JS restrictions that secure the UA from such threats, see: http://www.w3.org/community/pua/wiki/Draft There are also existing browser extensions such as 'noscript' that can offer some protection. I appeal to those interested in optimizing loading to work together on a client side solution. There is a CfC on the 'picture' and 'srcset' specifications and I am trying to make sure these have a chance of meeting these needs and I would welcome assistance reviewing these, see: http://lists.w3.org/Archives/Public/public-html-admin/2013Jan/0228.html cheers Fred Date: Tue, 5 Feb 2013 10:33:19 +1100 From: behrangsa@gmail.com To: fredandw@live.com CC: robertc@boogdesign.com; www-style@w3.org Subject: Re: Media Queries and optimizing what data gets transferred Fred, I am not a security/privacy guy, but you mention: > Users that want to choose lower resolution images to speed loads and lower bandwidth usage will need to expose some state, but less state needs to be exposed with client-side adaptation and the state that is exposed is less meaningful. > The client-hints proposal requires a larger amount of client state to be exposed and processes this on the server side to select from an expected limited range of resources. Keeping the selection algorithm on the client side inherently reduces the amount of state exposed. It would be expected that in the majority of cases there is only a single resource to select, and in this case the client-side adaptation need not expose any state whereas with the client-hints proposal the client is require to blindly expose the state in the hope that the server might be able to choose a 'optimal' resource. Let's assume we have two kinds of companies: 1- the evil ones: you don't want your state to be exposed to them. Even without client side hints, they can add some JS code that reveals your client state via AJAX or something. 2- the good ones: you don't mind if your state is exposed to them, this means both approaches are acceptable. Am I missing something here?Cheers, Behrang Saeedzadeh http://www.behrang.org On Fri, Feb 1, 2013 at 11:35 PM, Fred Andrews <fredandw@live.com> wrote: Users that want to choose lower resolution images to speed loads and lower bandwidth usage will need to expose some state, but less state needs to be exposed with client-side adaptation and the state that is exposed is less meaningful. The client-hints proposal requires a larger amount of client state to be exposed and processes this on the server side to select from an expected limited range of resources. Keeping the selection algorithm on the client side inherently reduces the amount of state exposed. It would be expected that in the majority of cases there is only a single resource to select, and in this case the client-side adaptation need not expose any state whereas with the client-hints proposal the client is require to blindly expose the state in the hope that the server might be able to choose a 'optimal' resource. Further the client need not base the resource choice on actual device state, so the exposed state is potentially less meaningful. For example with client-side adaptation the client could choose to download only the largest images and to downscale these as needed. This would stop re-validation events when media parameters change, further lowering the exposed state. For example if a client downloads lower resolution images it might match a device characteristic or it might be an arbitrary choice of the user. cheers Fred > Date: Fri, 1 Feb 2013 11:58:39 +0000 > From: robertc@boogdesign.com > To: www-style@w3.org > Subject: Re: Media Queries and optimizing what data gets transferred > > On 01/02/2013 06:37, Fred Andrews wrote: > > Keeping the adaptation client-side avoids the user > > being forced to reveal UA state > > Surely the client-state is going to be revealed by what resources it > downloads anyway? > > Rob >
Received on Tuesday, 5 February 2013 00:13:03 UTC