Re: eww

[Lars Magne Ingebrigtsen]

Stefan Monnier <address@hidden> writes:

> That's for the case where you go the same URL.  When I go back in my
> history, I don't just want to see the same web-page, I want to see it in
> the exact state I left it (e.g. with whatever text I had typed into the
> forms, with point at the same place, ...).
> And most importantly, I want to be able to see it even if the network
> connection went down.
>
> So, no, when going back in my history I do *not* want to honor stuff
> like Cache-Control.

That would be my preference, too, but there are security implications.
Like today's story:

http://it.slashdot.org/story/13/06/20/0250206/21-financial-sites-found-to-store-sensitive-data-in-browser-disk-cache

Now, eww won't store things in on disk, but if we're storing all this
stuff in memory indefinitely, we're leaving the users open for various
attacks on their privacy.

Like I said, my preference would be to leave everything in memory
myself, because I think this attack vector is pretty, er, slim (i.e.,
"if this is a problem, then my machine is already hacked, so why
worry?"), but as a default policy, I think it's problematic.

-- 
(domestic pets only, the antidote for overdose, milk.)
  bloggy blog http://lars.ingebrigtsen.no/