XAuth, unofficial

[SitG Admin]

Thought experiment - XAuth is just JS, so it can be implemented 
*right now* . . . what would be the response from browser vendors if 
sites began to do so, *without* notifying anyone or attempting to 
negotiate for vendor assistance? Imagine.

Sites have already had XAuth-like ability to compromise users' 
privacy for many years; more browser-independent, actually, since 
they could do it with just an image (no JS required) and check the 
other server's logs. Users could be tracked in their movements across 
the web, provided they visited pages infected by the same conspiracy 
of 'ad' networks. Some sites even allowed these off-site images to be 
embedded in user-generated content (Hello, 'avatar'!), hence the term 
"infection". XAuth relies on Javascript, and may therefore be more 
difficult for 3rd parties to embed - as a privacy threat, is it 
better or worse than what we've all seen before?

As a feature, however well-intentioned and whatever propaganda it is 
evangelized with, is it more or less likely to provoke users into 
demanding that their browser vendors address the issue by "fixing" 
the *privacy leak* . . . and *breaking* the "feature"?

-Shade