> I actually thought of what you suggest. But:
Let me put it this way: You are testing the browser, and there can be 2 modes
of failure.
(1) Malevolence = Deliberate info leaking. In this case, no matter where you
access, what the content or protocol is, the browser will do its thing. To
isolate malicious behavior and to make it stick out, the least parasitic
environmet (simplest protocol, no scripts, etc.) is best.
(2) Inferiority = Inadvertent info leaking. This is much more difficult to
spot than the former case. Leakage due to inferior implementation can occur
almost anywhere and everywhere. You need to test zillion combinations, and
spot the leakage among the chatter. Sorry but this is beyond my mortal
capabilities. Good luck, if you want to test that.
Also, inferiority means bug, and this is a technical failure (which can occur
in any software any time) rather than a behavioral one. So I assume you are
after behavioral failures (deliberate spying), that is you are after (1).
Therefore I sustain my original suggestion - of the simplest test case
possible.
As for doing the tests myself, I'm also aware of the fact that everyone is
just clapping from the sidelines for something they would directly benefit
from. But for me, while I find your work very commendable and very useful for
many, I'm only interested in it as a technical debate, and not concerned
enough to protect my privacy. I don't know why - I should have been. For
instance I haven't tried the user.js you have shared (yet). So I talk the
talk, but don't walk the walk. :) (correct usage of the term, I hope)
