On Wed, Apr 27, 2022 at 8:50 AM Anne van Kesteren <[email protected]> wrote:
> On Tue, Apr 26, 2022 at 9:22 PM Vivek Sekhar <[email protected]> wrote: > >> This particular technique has been discussed before, but there's a > >> flaw which wasn't mentioned in this email. The idea assumes that all > >> end users can access the same websites and also that all end users > >> visit similar websites. Neither of those is a given and as such end > >> users that for one reason or another only end up visiting one or two > >> websites that use a "pervasive payload" could be vulnerable to attack. > > > > Thanks for raising this. When you say "can access," are you referring to > e.g. national governments or ISPs blocking access to large numbers of > otherwise-popular sites? If so, would geography-specific lists of pervasive > payloads mitigate this concern? If not, can you provide more details on the > scenario you have in mind? > > That is part of the concern, but end users can be segmented in more > ways than that. If an end user minority in a region doesn't visit the > websites the end user majority visits, but a website they do visit > uses a "pervasive payload", you have the same risk. The last time we > discussed this in depth I don't think anyone came up with a solution > that would solve this other than with variations on bundling > "pervasive payloads". I'm rather surprised it's coming up again > without accounting for these issues. > Hey Anne! :) I agree that the concerns you raise are definitely something we'd need to resolve before shipping this. At the same time, this intent is for a short-lived experiment, aiming to quantify the benefits of the feature, before investing efforts in resolving those hard problems. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADnb78hs2WXzFR4OJYCB9G_a724PZMZtxRpLBdy_QZRYE9zJtg%40mail.gmail.com > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfW9iL%3DYuC2P31-yYQTENonDsiKV9S7W2eWcrBtczvE%3Dbg%40mail.gmail.com.
