On 8 March 2016 at 18:45, Mark Nottingham <[email protected]> wrote: > I've seen CPs that ask for Facebook username and password, but NOT over > HTTPS, and not to a Facebook domain (IIRC); it's more of a user education / > security UX problem than anything.
That's perhaps an extreme - and horrific - example of what I thought you intended here. Loading a real browser allows a CP to close the loop with tracking bugs. That is less offensive, though to what degree might depend on where you sit. There are probably plenty of potentially relevant reasons too. For example, a network operator might simply want to authorize one set of users (their paying customers) over others. A sandbox in that context represents a hurdle for their users, who can't rely on cookies or other preexisting state. The sandbox then has security drawbacks in that it encourages users to pick less secure passwords. _______________________________________________ Captive-portals mailing list [email protected] https://www.ietf.org/mailman/listinfo/captive-portals
