|
799 | 799 |
|
800 | 800 |
|
801 | 801 |
|
802 | | - <h3 id="fingerprint">Privacy concerns</h3> |
803 | | - |
804 | | - <!-- NON-NORMATIVE SECTION --> |
805 | | - |
806 | | - <p>Some features of HTML trade user convenience for a measure of user privacy.</p> |
807 | | - |
808 | | - <p>In general, due to the Internet's architecture, a user can be distinguished from another by the |
809 | | - user's IP address. IP addresses do not perfectly match to a user; as a user moves from device to |
810 | | - device, or from network to network, their IP address will change; similarly, NAT routing, proxy |
811 | | - servers, and shared computers enable packets that appear to all come from a single IP address to |
812 | | - actually map to multiple users. Technologies such as onion routing can be used to further |
813 | | - anonymize requests so that requests from a single user at one node on the Internet appear to come |
814 | | - from many disparate parts of the network.</p> |
815 | | - |
816 | | - <p>However, the IP address used for a user's requests is not the only mechanism by which a user's |
817 | | - requests could be related to each other. Cookies, for example, are designed specifically to enable |
818 | | - this, and are the basis of most of the Web's session features that enable you to log into a site |
819 | | - with which you have an account.</p> |
820 | | - |
821 | | - <p>There are other mechanisms that are more subtle. Certain characteristics of a user's system can |
822 | | - be used to distinguish groups of users from each other; by collecting enough such information, an |
823 | | - individual user's browser's "digital fingerprint" can be computed, which can be as good, if not |
824 | | - better, as an IP address in ascertaining which requests are from the same user.</p> |
825 | | - |
826 | | - <p>Grouping requests in this manner, especially across multiple sites, can be used for both benign |
827 | | - (and even arguably positive) purposes, as well as for malevolent purposes. An example of a |
828 | | - reasonably benign purpose would be determining whether a particular person seems to prefer sites |
829 | | - with dog illustrations as opposed to sites with cat illustrations (based on how often they visit |
830 | | - the sites in question) and then automatically using the preferred illustrations on subsequent |
831 | | - visits to participating sites. Malevolent purposes, however, could include governments combining |
832 | | - information such as the person's home address (determined from the addresses they use when getting |
833 | | - driving directions on one site) with their apparent political affiliations (determined by |
834 | | - examining the forum sites that they participate in) to determine whether the person should be |
835 | | - prevented from voting in an election.</p> |
836 | | - |
837 | | - <p>Since the malevolent purposes can be remarkably evil, user agent implementors are encouraged to |
838 | | - consider how to provide their users with tools to minimize leaking information that could be used |
839 | | - to fingerprint a user.</p> |
840 | | - |
841 | | - <p>Unfortunately, as the first paragraph in this section implies, sometimes there is great benefit |
842 | | - to be derived from exposing the very information that can also be used for fingerprinting |
843 | | - purposes, so it's not as easy as simply blocking all possible leaks. For instance, the ability to |
844 | | - log into a site to post under a specific identity requires that the user's requests be |
845 | | - identifiable as all being from the same user, more or less by definition. More subtly, though, |
846 | | - information such as how wide text is, which is necessary for many effects that involve drawing |
847 | | - text onto a canvas (e.g. any effect that involves drawing a border around the text) also leaks |
848 | | - information that can be used to group a user's requests. (In this case, by potentially exposing, |
849 | | - via a brute force search, which fonts a user has installed, information which can vary |
850 | | - considerably from user to user.)</p> |
851 | | - |
852 | | - <p>Features in this specification which can be <dfn data-x="fingerprinting vector">used to |
853 | | - fingerprint the user</dfn> are marked as this paragraph is. |
854 | | - <!--INSERT FINGERPRINT--> |
855 | | - </p> |
856 | | - |
857 | | - <p>Other features in the platform can be used for the same purpose, though, including, though not |
858 | | - limited to:</p> |
859 | | - |
860 | | - <ul> |
861 | | - |
862 | | - <li>The exact list of which features a user agents supports.</li> |
863 | | - |
864 | | - <li>The maximum allowed stack depth for recursion in script.</li> |
865 | | - |
866 | | - <li>Features that describe the user's environment, like Media Queries and the <code>Screen</code> |
867 | | - object. <ref spec=MQ> <ref spec=CSSOMVIEW></li> |
868 | | - |
869 | | - <li>The user's time zone.</li> |
870 | | - |
871 | | - </ul> |
872 | | - |
873 | | - |
874 | 802 | <h4 id="fingerprint-postMessage">Cross-site communication</h4> |
875 | 803 |
|
876 | 804 | <p>The <code data-x="dom-window-postMessage">postMessage()</code> API provides a mechanism by |
@@ -2365,6 +2293,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute |
2365 | 2293 | <p>The following terms are defined in the WHATWG Infra standard: <ref spec=INFRA></p> |
2366 | 2294 |
|
2367 | 2295 | <ul class="brief"> |
| 2296 | + <li id="fingerprint"><dfn id="fingerprinting-vector" data-x-href="https://infra.spec.whatwg.org/#fingerprinting-vector">fingerprinting vector</dfn> |
2368 | 2297 | <li><dfn data-x-href="https://infra.spec.whatwg.org/#code-point">code point</dfn> and its synonym |
2369 | 2298 | <dfn data-x-href="https://infra.spec.whatwg.org/#code-point">character</dfn></li> |
2370 | 2299 | <li><dfn data-x-href="https://infra.spec.whatwg.org/#surrogate">surrogate</dfn></li> |
|
0 commit comments