- From: Tyler Close <tyler.close@gmail.com>
- Date: Mon, 8 Feb 2010 18:10:02 -0800
- To: Tim Berners-Lee <timbl@w3.org>
- Cc: John Kemp <john@jkemp.net>, Dan Connolly <connolly@w3.org>, ashok.malhotra@oracle.com, Larry Masinter <masinter@adobe.com>, Jonathan Rees <jar@creativecommons.org>, "www-tag@w3.org" <www-tag@w3.org>, "Mark S. Miller" <erights@google.com>
On Mon, Feb 8, 2010 at 5:29 PM, Tim Berners-Lee <timbl@w3.org> wrote: > > On 2010-02 -08, at 07:41, John Kemp wrote: > > Yes, I believe that to be true too - apart from the case where a URI may end > up being transmitted to another site "automatically" by means of the Referer > HTTP header. > > > Generalizing, you could argue that client software is written so as to store > and remember and spread URIs, unlike passwords. So passwords are stored > hidden away in some way, but browsing history and bookmarks are not. That seems like an enormous logical leap to take based only on the Referer header. It is also contrary to the implementation of most user-agents, which protect the browsing history and bookmarks from access by presented content, just as they do passwords. Projects such as Mozilla's Weave, which support synchronizing this information across user-agents, also go to significant lengths to ensure the data is never in cleartext outside the user's computer. All data is sent encrypted and stored encrypted on Mozilla's servers. See: http://mozillalabs.com/weave/ Clearly they believe the browser history and bookmarks is confidential information to be protected. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Tuesday, 9 February 2010 02:10:36 UTC