- From: Tim Berners-Lee <timbl@w3.org>
- Date: Thu, 3 Jun 2010 11:33:10 -0400
- To: nathan@webr3.org
- Cc: Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org" <www-tag@w3.org>, John Kemp <john@jkemp.net>
On 2010-06 -02, at 15:58, Nathan wrote: > Does this in anyway tie in with what John Kemp is working on with CORS/UMP etc? > > On reflection it seems a bit odd a spec is being made that allows sites to transfer personal information to each other, but doesn't give any control to the user over what they want to send to those sites. Yes. I think it does connect. The CORS system allows a site to say "When you access this data, we the publishers trust you to run scripts from xx.yy.com domain on it". The publisher has control of the fate of the data - sounds reasonable except it ignores the possibility of the user knowing that the scripts are safe. In the copy ambush example, I sympathize with Paul Libbrech (and Jonas Sicking ) when he says "...the only way out is to give the user the choice". So a user may decide to trust -- well to allow, on balance -- the scripts from a given domain, while they will have advantages and disadvantages. So the browser has to build up a list of user-trusted script sites? Tim
Received on Thursday, 3 June 2010 15:33:16 UTC