[cap-talk] Webkeys vs. the web
David-Sarah Hopwood
david.hopwood at industrial-designers.co.uk
Thu Apr 2 00:10:11 EDT 2009
Raoul Duke wrote:
> David-Sarah Hopwood wrote:
>> A webkey will have a random-looking object ID that the user would have to
>> assume might be specific to their account.
>
> from a usability+security standpoint, i don't feel it is OK to require
> that users parse URLs to decide if they are something they shouldn't
> copy-and-paste to another person,
That wasn't the issue. A hypothetical user was making an assumption that
required them to do unreliable URL parsing, but that is not a necessary
assumption and that fails for many existing, non-webkey, sites.
"Doctor, it hurts when I do this."
> and to figure out precisely what
> another person would then see if they followed it.
No-one is suggesting that they should. The point was: the assumption
that Ihab posited that users may make about URLs being relative to the
logged-in user's account may be unreliable for webkey-based sites, but
it is also frequently unreliable for other sites using URLs containing
similar random-looking IDs. So if a user makes this assumption *without*
parsing the URL, then the problem is that the user does not understand
common behaviour of web sites; not with the use of webkeys.
The fact that there exist *some* URLs, such as the Amazon one posted
earlier, for which the assumption that they are relative to an account
is correct-by-coincidence, does not imply that there is anything
significantly wrong with web apps that don't satisfy it.
--
David-Sarah Hopwood ⚥
More information about the cap-talk
mailing list