Talk:Features/Social Help
< Talk:Features
Revision as of 20:22, 26 May 2015 by Quozl (talk | contribs) (→No URL entry box leads to insecurity)
Missing content
This feature page does not mention:
- that an account must be created by the learner,
- that the learner must have an e-mail account,
- whether a cookie for the account remains on the device,
- a privacy policy,
--Quozl 20 May 2015
- Cookies are stored in the user's sugar profile directory. It is persistent between usages.
- As for your other comments, they are 100% dependent on the user's or deployment's configured server.
- On socialhelp.sugarlabs.org (the default server):
- We use discourse, and email and accounts are very central to discourse. Discourse is a very good piece of software and I suppose this is a compromise I am willing to make.
- Accounts could be pre-created by deployments or kids could ask questions using a teachers account
- We have a very stock standard privacy policy, it is very simple to understand and I recommend reading it. It does have a bad policy on COPPA, which is an issue to fix.
- --SAMdroid 21 May 2015
- Okay, thanks. I think the feature page should mention these things. Other things it could mention are:
- there is no support for deleting the cookies, (re: european union right to forget and cookie legislation),
- how to disable the feature for deployments who do not have a configured server,
- the requirements for the web application on the server, (e.g. it will be used in an embedded web browser that is unable to fill the display, unable to be dismissed without losing context, has no bookmark or URL entry capability, and has no HTTP AUTH capability),
- --Quozl (talk) 19:13, 25 May 2015 (EDT)
- Okay, thanks. I think the feature page should mention these things. Other things it could mention are:
How to add help to an activity?
Activity developers need to know how to add help in a way that will work with Alt-Ctrl-H, where is this documented? --Quozl (talk) 20:31, 25 May 2015 (EDT)
No URL entry box, URL spoofing
The embedded browser used by this feature does not show an entry box for the URL. This removes one of the critical security features of web browsers; the ability to verify that the site you are visiting is the right one, and you haven't been redirected to another.
Are there any controls in place to mitigate this? Such as restricting the browser to the configured server. --Quozl (talk) 21:19, 26 May 2015 (EDT)
References: