On 25 March 2016 at 15:23, Joseph Birr-Pixton <[email protected]> wrote: > On 25 March 2016 at 18:07, elijah <[email protected]> wrote: >> On 03/25/2016 05:33 AM, Tom Ritter wrote: >> >>> In the web browser context, I'm pretty sure you don't control the app >>> id - it's determined from the origin in the web browser and passed to >>> the dongle. If you could control it, it would be trivial to do >>> cooperative cross-origin tracking. >> >> I think that is correct, although I am puzzled why the javascript API >> lets you specify the app id. > > You can either specify your origin (this is checked by the > extension/browser, I assume!), or alternatively a URI that can be HTTP > GET'd to yield a list of equivalent origins and identities of native > apps that are allowed to claim the same appId.
The "list of equivalent origins" when I read the spec did _not_ allow other web origins. This was a hard "No". It only worked with mobile apps. Has this been relaxed? If so, it's a major privacy problem. -tom _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
