Ian Hickson wrote:
> Note that the problems you raise also exist (and have long existed) with
> cookies; at least the storage APIs default to a safe state in the general
> case instead of defaulting to an unsafe state.
In what way do the storage API's default to a "safe state"? What "unsafe
stat
Ian Hickson said (among other things):
It seems that what you are suggesting is that foo.example.com cannot trust
example.com, because example.com could then steal data from
foo.example.com. But there's a much simpler attack scenario for
example.com: it can just take over foo.example.com direct
On Mon, 28 Aug 2006, Shannon Baker wrote:
> >
> > This is mentioned in the "Security and privacy" section; the third
> > bullet point here for example suggests blocking access to "public"
> > storage areas:
> >
> > http://whatwg.org/specs/web-apps/current-work/#user-tracking
>
> I did read t
On 8/28/06, Jim Ley <[EMAIL PROTECTED]> wrote:
On 28/08/06, Shannon Baker <[EMAIL PROTECTED]> wrote:
> I accept tracking is inevitable but we
> shouldn't be making it easier either.
You have to remember that the WHAT-WG individual is a Google employee,
a company that now relies on accurate track
On 28/08/06, Shannon Baker <[EMAIL PROTECTED]> wrote:
I accept tracking is inevitable but we
shouldn't be making it easier either.
You have to remember that the WHAT-WG individual is a Google employee,
a company that now relies on accurate tracking of details, so don't be
surprised that any pro
Ian Hickson wrote:
This is mentioned in the "Security and privacy" section; the third
bullet point here for example suggests blocking access to "public"
storage areas:
http://whatwg.org/specs/web-apps/current-work/#user-tracking
I did read the suggestions and I know the authors have given th
On 8/27/06, Shannon Baker <[EMAIL PROTECTED]> wrote:
== 1: Authors failure to handle the implications of "global" storage. ==
First lets talk about the global store (|globalStorage['']) which is
accessible from ALL domains.
This is mentioned in the "Security and privacy" section; the third
bul
On Sun, 27 Aug 2006 19:11:17 +0700, Shannon Baker <[EMAIL PROTECTED]> wrote:
> But why bother? This whole problem is easily solved by allowing data to
> be stored with an access control list (ACL). For example the site
> developer should be able to specify that a data object be available to
> '*.e
