- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Sat, 11 Jan 2014 16:43:36 +0000
- To: Nasko Oskov <nasko@chromium.org>
- Cc: Mike West <mkwst@google.com>, WebAppSec WG <public-webappsec@w3.org>, TAG <www-tag@w3.org>, Charlie Reis <creis@chromium.org>
On Fri, Jan 10, 2014 at 6:09 PM, Nasko Oskov <nasko@chromium.org> wrote: > We have actually attempted implementing such isolation based on ideas in a > paper [ http://www.charlesreis.com/research/publications/ccs-2011.pdf ] > by Charlie Reis, Adam Barth, et al. Nice! > The example scenario that is confusing for the user is a > news site with social networking buttons, which when clicked lead to > authentication prompts, even though the user is already logged into the > social network. Yeah, this feature does not seem ideal for that kind of site. I guess the way iOS deals with this scenario is providing elevated access to Facebook and Twitter, which works fine, but does not really scale well and would not be a suitable solution on the web. > Our decision was to try and achieve the same end result though different > means, due to how we implement and enforce partitioning. We are currently > working on the first piece needed to get us there. Could you elaborate on this? > If you are interested in glory details of why it didn't work as users expect > it, let me know and I'll be happy to explain. Assuming that once the user clicked the social network button that would lead to some inline popup and not a top-level navigation, I think I understand. -- http://annevankesteren.nl/
Received on Saturday, 11 January 2014 16:44:04 UTC