Re: Requesting comments on draft-cheney-safe-02.txt
Hector Santos wrote:
Well, all bets are off. That is why I think you may be blowing against
the wind here. WEB 2.0+ direction is too strong. The market is
certainly caring less for Web 1.0 only support and would rather (because
it is less costly) just spit out a message:
I meant that to say:
Today, if a user is concern about reaching a site with hidden cross
domain operations, they can use the browser's No Scripting options like
newer IE and FireFoxes with the most excellent NoScript plugin.
At the end of the day, either you allow the site to run as it was
designed if you want to be part of it, or just ignore it if you are
concern about its cross domain behavior. i.e, FACEBOOK - either you
want to be part of it or you don't because it relies are strong
interactive behavior and TONS of cross domain communications.
Let me illustrate how BAD it has gotten.
I have all the browsers installed on my machine for testing purposes
against our hosting products.
For personal usage, I use Firefox with NoScript. With NoScript, if I
trust the web site I am hopping to I will click the bottom right
status bar NoScript ICON and it will list the main site and other
cross domains it is trying to reach. It offers me to permanently or
temporarily white list the main and/or the others. In general I just
white list the main site, not the cross domain sites.
For all these years that worked great. The sites I most visited still
by default and only enabled the ones I want to get the job done.
Within the last year, more and more sites are saying the above:
Now, if I care or needed to continue, I will enable it. Otherwise,
Today, more and more of the newer sites are completely Web 2.0+ and
unless I completely white list them, I mean everything, even the cross
site AD request and tracking domains, they will not work. Even with
me telling NoScript to opening it up.
Its gotten so bad, I have to use Google Chrome when I want complete
unrestricted access to a particular site.
Google Chrome is the first browser to make it 100% known they do not
background communications in a cloud or with their main HQ. Typing
at the address bar is now DYNAMIC. It records everything you do. Its
part of their model of the future. So I use it when I want full web
2.0 experience and I don't worry about what it is doing (even though I
showed how to stop its tracking here):
Other browsers are watching and following suite and overall, its no
longer what the user wants but rather trying to convince them there is
no harm, "TRUST ME - THE BROWSER" and to change the mindset by having
them ignore the idea that they is tons of communications going on.
Most user don't even know it is going on and certainly not the new
generation - the vendors are betting on it.