From 4a2ca6754c5a13fc0c9481203959f137f945fd80 Mon Sep 17 00:00:00 2001 From: Jay Harris Date: Wed, 19 Jun 2019 09:51:44 +1000 Subject: [PATCH 1/3] Adds a section about tricking users --- explainer.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/explainer.md b/explainer.md index dd6bd34..531b57f 100644 --- a/explainer.md +++ b/explainer.md @@ -274,3 +274,5 @@ full power of showing a native badge. ### Security and Privacy Considerations The API is set only, so data badged can't be used to track a user. Whether the API is present could possibly be used as a bit of entropy to fingerprint users, but this is the case for all new APIs. +A potential concern is that a web application could trick users into unnecessarily opening the application by showing a badge. By opening the application, the user could unintentionally expose private information. This is similar to the risk posed by notifications. + From 26ab42f2dc6a057cc3855d1412e3333732074758 Mon Sep 17 00:00:00 2001 From: Jay Harris Date: Wed, 19 Jun 2019 09:52:47 +1000 Subject: [PATCH 2/3] removes trailing whitespace --- explainer.md | 1 - 1 file changed, 1 deletion(-) diff --git a/explainer.md b/explainer.md index 531b57f..89bb7b9 100644 --- a/explainer.md +++ b/explainer.md @@ -275,4 +275,3 @@ full power of showing a native badge. The API is set only, so data badged can't be used to track a user. Whether the API is present could possibly be used as a bit of entropy to fingerprint users, but this is the case for all new APIs. A potential concern is that a web application could trick users into unnecessarily opening the application by showing a badge. By opening the application, the user could unintentionally expose private information. This is similar to the risk posed by notifications. - From 5f6795d4072e6e961b0086f4a42abdee34158e90 Mon Sep 17 00:00:00 2001 From: Jay Harris Date: Thu, 27 Jun 2019 12:09:59 +1000 Subject: [PATCH 3/3] Updates spec, removes section --- explainer.md | 2 -- index.html | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/explainer.md b/explainer.md index 89bb7b9..dfcdf2e 100644 --- a/explainer.md +++ b/explainer.md @@ -273,5 +273,3 @@ full power of showing a native badge. ### Security and Privacy Considerations The API is set only, so data badged can't be used to track a user. Whether the API is present could possibly be used as a bit of entropy to fingerprint users, but this is the case for all new APIs. - -A potential concern is that a web application could trick users into unnecessarily opening the application by showing a badge. By opening the application, the user could unintentionally expose private information. This is similar to the risk posed by notifications. diff --git a/index.html b/index.html index 93707a0..468caf2 100644 --- a/index.html +++ b/index.html @@ -111,6 +111,7 @@

If the application's badge is nothing, the badge is said to be "cleared". Otherwise, it is said to be "set".

+

Note: The API is set only, so the badge data cannot be used to identify users.