[whatwg] Proposal for a debugging information API
ian at hixie.ch
Fri Nov 16 10:06:31 PST 2012
On Thu, 15 Nov 2012, David Barrett-Kahn wrote:
> Ian, I'd be interested in what you had in mind when you said 'a lot of
> user opt-in'.
I don't know, exactly. It has to be something where we're confident that
the user understands that he is about to send sensitive information to a
The concern isn't when this is used by a company like Apple or Facebook;
the worst such companies are going to do with sensitive data is target ads
better or make their products more streamlined. The concern is when some
attacker wants to get information about your company's intranet's
topology, or wants to know what potentially vulnerable plugins or
extensions you have installed, or wants to know what software you are
running, so that they can more precisely target you. Such an attacker can
trivially provide you with a game to play, and then have the game crash,
misleading you into thinking they're a perfectly honest game developer and
causing you to eagerly send them all the sensitive information they want.
These are not hypothetical concerns. Over the last few years, targetted
attacks of this nature have become much more common and are a real threat.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg