On Tue, Apr 26, 2022 at 9:22 PM Vivek Sekhar <[email protected]> wrote: >> This particular technique has been discussed before, but there's a >> flaw which wasn't mentioned in this email. The idea assumes that all >> end users can access the same websites and also that all end users >> visit similar websites. Neither of those is a given and as such end >> users that for one reason or another only end up visiting one or two >> websites that use a "pervasive payload" could be vulnerable to attack. > > Thanks for raising this. When you say "can access," are you referring to e.g. > national governments or ISPs blocking access to large numbers of > otherwise-popular sites? If so, would geography-specific lists of pervasive > payloads mitigate this concern? If not, can you provide more details on the > scenario you have in mind?
That is part of the concern, but end users can be segmented in more ways than that. If an end user minority in a region doesn't visit the websites the end user majority visits, but a website they do visit uses a "pervasive payload", you have the same risk. The last time we discussed this in depth I don't think anyone came up with a solution that would solve this other than with variations on bundling "pervasive payloads". I'm rather surprised it's coming up again without accounting for these issues. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADnb78hs2WXzFR4OJYCB9G_a724PZMZtxRpLBdy_QZRYE9zJtg%40mail.gmail.com.
