[cap-talk] Rich Sharing and Clusterken videos come to YouTube

David Bruant bruant.d at gmail.com
Sun Mar 18 12:57:23 PDT 2012


Le 15/03/2012 00:53, Marc Stiegler a écrit :
> Second is Webkeys or Passwords: Which is More Secure?
> http://www.youtube.com/watch?v=C7Pt9PGs4C4
I'd like to take a minute to extend on how current browsers are hostile
to webkeys besides the bookmark hovering showed in the video.

First, there is the URL bar. Indeed, it just shows the URL, which is
annoying when you wish the URL to be kept secret. If the secret is kept
on the fragment part, this one can be changed in JavaScript doing:

    location.hash = "yo"

If the secret is not kept in the fragment, the recent History API can
save you by replacing the URL bar content in JavaScript [1]. Browser
support is good [2] assuming you can say IE6-9 users to go away :-)


A second browser annoyance regarding webkeys is the Referer HTTP header.
The problem is that if the secret is somewhere else than at the fragment
part, it will be sent along with any HTTP request to any server.
The referer header has biten a lot of people [3] and there is some
discussion of a feature limitating the Referer header [4] sent along
with a request. I think it's implemented on Webkit but not shipped in
browsers yet. Firefox is in the process of implementing it [5].

David

[1]
https://developer.mozilla.org/en/DOM/Manipulating_the_browser_history#The_replaceState%28%29.C2.A0method
[2] http://caniuse.com/#feat=history
[3]
https://www.facebook.com/notes/facebook-engineering/protecting-privacy-with-referrers/392382738919
[4] http://wiki.whatwg.org/index.php?title=Meta_referrer
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=704320


More information about the cap-talk mailing list