ietf
[Top] [All Lists]

Re: Last Call: <draft-nottingham-safe-hint-05.txt> (The "safe" HTTP Preference) to Proposed Standard

2014-11-18 11:55:19
On 11/17/14 9:16 PM, Mark Nottingham wrote:
Reminder: if you want an e-mail response to a message on this list, please CC: 
me.

Doug Barton said:

Mark, can you respond to this point in more detail? Specifically, given
that there are already more-granular cookie-based solutions which are
nearly universally deployed, how much does preventing granularity in the
initial signal to the site help avoid this pitfall?

Because the hint is potentially sent on *all* requests, not just selected sites.

Thanks for the response. I'm not sure I find it compelling though. :-/ There are (roughly) three types of web sites, ones that will ignore the flag completely, ones that will honor it as the user intended, and ones that will attempt to use the information to data-mine beyond what the user intended. The first two we can ignore, it's the last type that's of concern, yes?

So what's to stop that malicious site owner from putting up a block on their site unless you fill out the form that tells them the PII they want to know? (Hint: nothing, they already do that) So either the whole idea of the flag is dangerous because it may reveal something to a malicious site that the user would not want revealed, or the idea is useful, and one bit is not enough granularity to make it truly compelling.

Doug

<Prev in Thread] Current Thread [Next in Thread>