On 11/17/14 9:16 PM, Mark Nottingham wrote:
Reminder: if you want an e-mail response to a message on this list, please CC: me.
Doug Barton said:
Mark, can you respond to this point in more detail? Specifically, given
that there are already more-granular cookie-based solutions which are
nearly universally deployed, how much does preventing granularity in the
initial signal to the site help avoid this pitfall?
Because the hint is potentially sent on *all* requests, not just selected sites.
Thanks for the response. I'm not sure I find it compelling though. :-/
There are (roughly) three types of web sites, ones that will ignore the
flag completely, ones that will honor it as the user intended, and ones
that will attempt to use the information to data-mine beyond what the
user intended. The first two we can ignore, it's the last type that's of
concern, yes?
So what's to stop that malicious site owner from putting up a block on
their site unless you fill out the form that tells them the PII they
want to know? (Hint: nothing, they already do that) So either the whole
idea of the flag is dangerous because it may reveal something to a
malicious site that the user would not want revealed, or the idea is
useful, and one bit is not enough granularity to make it truly compelling.
Doug