Thought experiment - XAuth is just JS, so it can be implemented
*right now* . . . what would be the response from browser vendors if
sites began to do so, *without* notifying anyone or attempting to
negotiate for vendor assistance? Imagine.
Sites have already had XAuth-like ability to compromise users'
privacy for many years; more browser-independent, actually, since
they could do it with just an image (no JS required) and check the
other server's logs. Users could be tracked in their movements across
the web, provided they visited pages infected by the same conspiracy
of 'ad' networks. Some sites even allowed these off-site images to be
embedded in user-generated content (Hello, 'avatar'!), hence the term
"infection". XAuth relies on Javascript, and may therefore be more
difficult for 3rd parties to embed - as a privacy threat, is it
better or worse than what we've all seen before?
As a feature, however well-intentioned and whatever propaganda it is
evangelized with, is it more or less likely to provoke users into
demanding that their browser vendors address the issue by "fixing"
the *privacy leak* . . . and *breaking* the "feature"?
-Shade
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
