Comments (9)
We have consensus among the @privacycg/chairs and @johnwilander (as required by our charter) to adopt this as a Work Item, with @johnwilander and @melanierichards as Editors. I'll spin up a repository for this Work Item soon.
from proposals.
A few engineers from Google would like to discuss the ideas in this explainer. We would like to see the explainer move to a venue suitable for multi-vendor collaboration, such as this community group.
To be clear, this is not a commitment to implement from Chrome. We are seeking a venue to discuss the ideas in this explainer.
Thank you very much for your consideration!
from proposals.
Could this be harmonized with https://w3c.github.io/webappsec-credential-management/ somehow? I believe everyone bought into that already at least for WebAuthn purposes. To keep things relatively straightforward for web developers we should probably not have too many different credential endpoints.
I'm also a little skeptical of the HTTP State Token dependency. I'd rather iterate on cookies. (For similar reasons.)
from proposals.
A goal here is maximum ease of adoption. If the dependency on Credential Management doesn't make this any harder to adopt, then sure, but I'm not sure it would. (Maybe it can be an optional dependency.) Unless many sites adopt this, the signal of logged in state will become useless.
I think Credential Management API only has buy-in exactly for the minimum needed for WebAuthentication, and not really for any of the password credentials stuff. In any case, having to opt in to a browser based credential chooser is probably a significant barrier to entry. On top of that, the Credential Management API doesn't tell the browser when a site performs a login or logout action. Only when it gets credentials or stores credentials. That doesn't really align with the concepts of interest here.
(The HTTP State Token dependency is optional, but since state tokens haven't advanced a whole lot, maybe better to consider adding it at a later time.
from proposals.
I'm continuing the discussion in the WebKit repo, as I understood @johnwilander to request: WebKit/explainers#44
from proposals.
From a Me2B perspective, this requires that the individual is first logged in--i.e. in a Me2B relationship--with the browser app.
Having a Me2B Relationship is memorialized through the creation of an account which is, importantly, accompanied with a legal agreement--TOS/TOU or similar.
We draw a distinction between:
- a windowshopping state where the individual has a reasonable expectation of anonymity; this state is characterized by the individual not being logged in [and not wishing to be remembered].
- and the Me2B Relationship state where the individual has voluntarily entered into a contract with the vendor and wishes to be recognized/remembered/responded to (https://github.com/WebOfTrustInfo/rwot6-santabarbara/blob/master/topics-and-advance-readings/functional-identity-primer.md).
The individual can choose to behave in a windowshopping state even if they have a Me2B Relationship (i.e. an account/credentials).
from proposals.
It would be nice if there was also an associated ability for the user to log-out. If they see a site they are deemed by the site to be logged-in to, they might want to be deemed as having logged out.
from proposals.
It would be nice if there was also an associated ability for the user to log-out. If they see a site they are deemed by the site to be logged-in to, they might want to be deemed as having logged out.
See navigator.setLoggedOut(optionalUsername) in the explainer. That is for the site to log the user out. The browser cannot log the user out in the general case beyond deleting all website data for the site.
Note that IsLoggedIn is not for logging in or logging out. It's for the site to tell the browser the user has already logged in or already logged out. IsLoggedIn doesn't manage logins or logouts. It's for sites to tell the browser that they have managed a login or a logout.
from proposals.
Closing, as this is now a Work Item.
from proposals.
Related Issues (20)
- Speculative Request Control HOT 27
- isKnown state HOT 12
- High-level trust signal (requestInstall / requestTrust)? HOT 8
- Site Groups / First Party Sets v2 HOT 10
- Multi data controller / processor data sharing mechanism HOT 2
- Principles of User Privacy (PUP) HOT 17
- Fenced Frames HOT 10
- Ad Topic Hints HOT 15
- Suggested and User-Specified Hierarchical Interests (SUSHI) HOT 1
- Privacy-Safe Storage API HOT 9
- Referrer trimming: Edge's behaviour? HOT 1
- Cookies Having Independent Partitioned State (CHIPS) HOT 3
- Privacy by design with browser-managed E2E encryption and Fenced Frames HOT 3
- Privacy by design with browser-managed E2E encryption with FIDO Protocol and Hardware keys
- Import/export passwords in keepass format for all browsers
- bounce tracking mitigations HOT 3
- requestStorageAccessFor: Page-level cross-site cookie grant API HOT 7
- DNS TLD for Privacy HOT 10
- Web hardware revocation API HOT 3
- Possible Intention Signal stronger than a simple user-gesture requirement
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from proposals.