Skip to content

Commit e7a8ffb

Browse files
committed
Use Infra as infrastructure for tracking/fingerprinting marking
This depends on whatwg/wattsi#41, whatwg/infra#115 (which depends on speced/bikeshed#964), and whatwg/whatwg.org#64.
1 parent 1ab7c86 commit e7a8ffb

File tree

1 file changed

+45
-123
lines changed

1 file changed

+45
-123
lines changed

source

Lines changed: 45 additions & 123 deletions
Original file line numberDiff line numberDiff line change
@@ -783,94 +783,6 @@ interface <dfn data-x="">Example</dfn> {
783783

784784

785785

786-
<h3 id="fingerprint">Privacy concerns</h3>
787-
788-
<!-- NON-NORMATIVE SECTION -->
789-
790-
<p>Some features of HTML trade user convenience for a measure of user privacy.</p>
791-
792-
<p>In general, due to the Internet's architecture, a user can be distinguished from another by the
793-
user's IP address. IP addresses do not perfectly match to a user; as a user moves from device to
794-
device, or from network to network, their IP address will change; similarly, NAT routing, proxy
795-
servers, and shared computers enable packets that appear to all come from a single IP address to
796-
actually map to multiple users. Technologies such as onion routing can be used to further
797-
anonymize requests so that requests from a single user at one node on the Internet appear to come
798-
from many disparate parts of the network.</p>
799-
800-
<p>However, the IP address used for a user's requests is not the only mechanism by which a user's
801-
requests could be related to each other. Cookies, for example, are designed specifically to enable
802-
this, and are the basis of most of the Web's session features that enable you to log into a site
803-
with which you have an account.</p>
804-
805-
<p>There are other mechanisms that are more subtle. Certain characteristics of a user's system can
806-
be used to distinguish groups of users from each other; by collecting enough such information, an
807-
individual user's browser's "digital fingerprint" can be computed, which can be as good as, if not
808-
better than, an IP address in ascertaining which requests are from the same user.</p>
809-
810-
<p>Grouping requests in this manner, especially across multiple sites, can be used for both benign
811-
(and even arguably positive) purposes, as well as for malevolent purposes. An example of a
812-
reasonably benign purpose would be determining whether a particular person seems to prefer sites
813-
with dog illustrations as opposed to sites with cat illustrations (based on how often they visit
814-
the sites in question) and then automatically using the preferred illustrations on subsequent
815-
visits to participating sites. Malevolent purposes, however, could include governments combining
816-
information such as the person's home address (determined from the addresses they use when getting
817-
driving directions on one site) with their apparent political affiliations (determined by
818-
examining the forum sites that they participate in) to determine whether the person should be
819-
prevented from voting in an election.</p>
820-
821-
<p>Since the malevolent purposes can be remarkably evil, user agent implementers are encouraged to
822-
consider how to provide their users with tools to minimize leaking information that could be used
823-
to fingerprint a user.</p>
824-
825-
<p>Unfortunately, as the first paragraph in this section implies, sometimes there is great benefit
826-
to be derived from exposing the very information that can also be used for fingerprinting
827-
purposes, so it's not as easy as simply blocking all possible leaks. For instance, the ability to
828-
log into a site to post under a specific identity requires that the user's requests be
829-
identifiable as all being from the same user, more or less by definition. More subtly, though,
830-
information such as how wide text is, which is necessary for many effects that involve drawing
831-
text onto a canvas (e.g. any effect that involves drawing a border around the text) also leaks
832-
information that can be used to group a user's requests. (In this case, by potentially exposing,
833-
via a brute force search, which fonts a user has installed, information which can vary
834-
considerably from user to user.)</p>
835-
836-
<p w-nodev>Features in this specification which can be <dfn data-x="fingerprinting vector">used to
837-
fingerprint the user</dfn> are marked as this paragraph is.
838-
<!--INSERT FINGERPRINT-->
839-
</p>
840-
841-
<p>Other features in the platform can be used for the same purpose, though, including, though not
842-
limited to:</p>
843-
844-
<ul>
845-
846-
<li>The exact list of which features a user agents supports.</li>
847-
848-
<li>The maximum allowed stack depth for recursion in script.</li>
849-
850-
<li>Features that describe the user's environment, like Media Queries and the <code>Screen</code>
851-
object. <ref spec=MQ> <ref spec=CSSOMVIEW></li>
852-
853-
<li>The user's time zone.</li>
854-
855-
</ul>
856-
857-
858-
<h4 id="fingerprint-postMessage">Cross-site communication</h4>
859-
860-
<p>The <code data-x="dom-window-postMessage">postMessage()</code> API provides a mechanism by
861-
which two sites can communicate directly. At first glance, this might appear to open a new way by
862-
which the problems described above can occur. However, in practice, multiple mechanisms exist by
863-
which two sites can communicate that predate this API: a site embedding another can send data via
864-
an <code>iframe</code> element's dimensions; a site can use a cross-site image request with a
865-
unique identifier known to the server to initiate a server-side data exchange; or indeed the
866-
fingerprinting techniques described above can be used by two sites to uniquely identify a visitor
867-
such that information can then be exchanged on the server side.</p>
868-
869-
<p>Fundamentally, users that do not trust a site to treat their information with respect have to
870-
avoid visiting that site at all.</p>
871-
872-
873-
874786

875787
<h3>A quick introduction to HTML</h3>
876788

@@ -2172,7 +2084,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
21722084
fingerprinting vector that increases the chances of users being uniquely identified, user agents
21732085
are encouraged to support the exact same set of <span data-x="plugin">plugins</span> for each
21742086
user.
2175-
<!--INSERT FINGERPRINT-->
2087+
<!--INSERT TRACKING-->
21762088
</p>
21772089

21782090
</div>
@@ -2434,7 +2346,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
24342346
<p id="hardwareLimitations">User agents may impose implementation-specific limits on otherwise
24352347
unconstrained inputs, e.g. to prevent denial of service attacks, to guard against running out of
24362348
memory, or to work around platform-specific limitations.
2437-
<!--INSERT FINGERPRINT-->
2349+
<!--INSERT TRACKING-->
24382350
</p>
24392351

24402352
<p>For compatibility with existing content and prior specifications, this specification describes
@@ -2472,6 +2384,10 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
24722384
<li>The general iteration terms <dfn data-x-href="https://infra.spec.whatwg.org/#iteration-while">while</dfn>,
24732385
<dfn data-x-href="https://infra.spec.whatwg.org/#iteration-continue">continue</dfn>, and
24742386
<dfn data-x-href="https://infra.spec.whatwg.org/#iteration-break">break</dfn>.</li>
2387+
<li id="fingerprint"><span id="fingerprinting-vector"></span><dfn
2388+
data-x-href="https://infra.spec.whatwg.org/#tracking-vector">tracking vector</dfn>
2389+
<!-- INSERT TRACKING -->
2390+
</li>
24752391
<li><dfn data-x-href="https://infra.spec.whatwg.org/#code-point">code point</dfn> and its synonym
24762392
<dfn data-x-href="https://infra.spec.whatwg.org/#code-point">character</dfn></li>
24772393
<li><dfn data-x-href="https://infra.spec.whatwg.org/#surrogate">surrogate</dfn></li>
@@ -9471,7 +9387,9 @@ partial interface <dfn id="document" data-lt="">Document</dfn> {
94719387
origin</span>, the user agent must throw a <span>"<code>SecurityError</code>"</span>
94729388
<code>DOMException</code>. Otherwise, the user agent must return the <span>cookie-string</span>
94739389
for the document's <span data-x="concept-document-url">URL</span> for a "non-HTTP" API, decoded
9474-
using <span>UTF-8 decode without BOM</span>. <ref spec=COOKIES><!--INSERT FINGERPRINT--></p>
9390+
using <span>UTF-8 decode without BOM</span>. <ref spec=COOKIES>
9391+
<!--INSERT TRACKING-->
9392+
</p>
94759393

94769394
<p>On setting, if the document is a <span>cookie-averse <code>Document</code> object</span>, then
94779395
the user agent must do nothing. Otherwise, if the <code>Document</code>'s <span>origin</span> is
@@ -34415,7 +34333,7 @@ interface <dfn>MediaError</dfn> {
3441534333
<span>media resource</span>. In the even rarer case of a <span>media resource</span> with no
3441634334
explicit timings of any kind, not even frame durations, the user agent must itself determine the
3441734335
time for each frame in a user-agent-defined manner.
34418-
<!--INSERT FINGERPRINT-->
34336+
<!--INSERT TRACKING-->
3441934337
</p>
3442034338

3442134339
<p class="note">An example of a file format with no explicit timeline but with explicit frame
@@ -48164,7 +48082,7 @@ ldh-str = &lt; as defined in <a href="https://tools.ietf.org/html/rfc1034#
4816448082
implementation-defined string that means "Submit" or some such.</span> The element is a <span
4816548083
data-x="concept-button">button</span>, specifically a <span data-x="concept-submit-button">submit
4816648084
button</span>.
48167-
<!--INSERT FINGERPRINT-->
48085+
<!--INSERT TRACKING-->
4816848086
</p>
4816948087

4817048088
<p class="note">Since the default label is implementation-defined, and the width of the button
@@ -48537,7 +48455,7 @@ ldh-str = &lt; as defined in <a href="https://tools.ietf.org/html/rfc1034#
4853748455
attribute, the button's label must be the value of that attribute; otherwise, it must be an
4853848456
implementation-defined string that means "Reset" or some such.</span> The element is a <span
4853948457
data-x="concept-button">button</span>.
48540-
<!--INSERT FINGERPRINT-->
48458+
<!--INSERT TRACKING-->
4854148459
</p>
4854248460

4854348461
<p class="note">Since the default label is implementation-defined, and the width of the button
@@ -63768,7 +63686,7 @@ try {
6376863686
the <code>CanvasText</code> interface, and then using the returned <span>inline box</span> must
6376963687
return a new <code>TextMetrics</code> object with members behaving as described in the following
6377063688
list: <ref spec=CSS>
63771-
<!--INSERT FINGERPRINT-->
63689+
<!--INSERT TRACKING-->
6377263690
</p>
6377363691

6377463692
</div>
@@ -75138,7 +75056,7 @@ addShortcutKeyLabel(document.getElementById('c'));</code></pre>
7513875056
key that corresponds to the value given in the attribute, can be used as the access key, then
7513975057
the user agent may assign that combination of keys as the element's <span>assigned access
7514075058
key</span> and return.
75141-
<!--INSERT FINGERPRINT-->
75059+
<!--INSERT TRACKING-->
7514275060
</p></li>
7514375061

7514475062
</ol>
@@ -88047,7 +87965,7 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
8804787965
<li>The user has not disabled scripting for this <span>browsing context</span> at this time.
8804887966
(User agents may provide users with the option to disable scripting globally, or in a
8804987967
finer-grained manner, e.g. on a per-origin basis.)
88050-
<!--INSERT FINGERPRINT-->
87968+
<!--INSERT TRACKING-->
8805187969
</li>
8805287970

8805387971
<li id="sandboxScriptBlocked">The <span>browsing context</span>'s <span>active document</span>'s
@@ -90969,7 +90887,7 @@ import "https://example.com/foo/../module2.mjs";</code></pre>
9096990887

9097090888
<li><p>Let <var>message</var> be a user-agent-defined string describing the error in a
9097190889
helpful manner.
90972-
<!--INSERT FINGERPRINT-->
90890+
<!--INSERT TRACKING-->
9097390891
</p></li>
9097490892

9097590893
<li><p>Let <var>errorValue</var> be the value that represents the error: in the case of an
@@ -94863,7 +94781,7 @@ interface <dfn>Navigator</dfn> {
9486394781
profile the user. In fact, if enough such information is available, a user can actually be
9486494782
uniquely identified. For this reason, user agent implementers are strongly urged to include as
9486594783
little information in this API as possible.
94866-
<!--INSERT FINGERPRINT-->
94784+
<!--INSERT TRACKING-->
9486794785
</p>
9486894786

9486994787
</div>
@@ -94944,7 +94862,7 @@ interface <dfn>Navigator</dfn> {
9494494862

9494594863
<li>Any information in this API that varies from user to user can be used to profile or identify
9494694864
the user.
94947-
<!--INSERT FINGERPRINT-->
94865+
<!--INSERT TRACKING-->
9494894866
</li>
9494994867

9495094868
<li>If the user is not using a service that obfuscates the user's point of origin (e.g. the Tor
@@ -94961,7 +94879,7 @@ interface <dfn>Navigator</dfn> {
9496194879
<p>To avoid introducing any more fingerprinting vectors, user agents should use the same list for
9496294880
the APIs defined in this function as for the HTTP `<code
9496394881
data-x="http-accept-language">Accept-Language</code>` header.
94964-
<!--INSERT FINGERPRINT-->
94882+
<!--INSERT TRACKING-->
9496594883
</p>
9496694884

9496794885
</div>
@@ -95508,13 +95426,13 @@ interface <dfn>MimeType</dfn> {
9550895426
<p>The <span>supported property indices</span> of a <code>PluginArray</code> object are the
9550995427
numbers from zero to the number of non-<span data-x="hidden plugin">hidden</span> <span
9551095428
data-x="plugin">plugins</span> represented by the object, if any.
95511-
<!--INSERT FINGERPRINT-->
95429+
<!--INSERT TRACKING-->
9551295430
</p>
9551395431

9551495432
<p>The <dfn><code data-x="dom-PluginArray-length">length</code></dfn> attribute must return the
9551595433
number of non-<span data-x="hidden plugin">hidden</span> <span data-x="plugin">plugins</span>
9551695434
represented by the object.
95517-
<!--INSERT FINGERPRINT-->
95435+
<!--INSERT TRACKING-->
9551895436
</p>
9551995437

9552095438
<p>The <dfn><code data-x="dom-PluginArray-item">item()</code></dfn> method of a
@@ -95535,14 +95453,14 @@ interface <dfn>MimeType</dfn> {
9553595453

9553695454
</ol>
9553795455

95538-
<p class="note">It is important <span class="no-backref" data-x="fingerprinting vector">for
95539-
privacy</span> that the order of plugins not leak additional information, e.g. the order in which
95456+
<p class="note">It is important <span class="no-backref" data-x="tracking vector">for
95457+
privacy</span> that the order of plugins not leak additional information, e.g., the order in which
9554095458
plugins were installed.</p>
9554195459

9554295460
<p>The <span>supported property names</span> of a <code>PluginArray</code> object are the values
9554395461
of the <code data-x="dom-Plugin-name">name</code> attributes of all the <code
9554495462
data-x="dom-Plugin">Plugin</code> objects represented by the <code>PluginArray</code> object.
95545-
<!--INSERT FINGERPRINT-->
95463+
<!--INSERT TRACKING-->
9554695464
</p>
9554795465

9554895466
<p>The <dfn><code data-x="dom-PluginArray-namedItem">namedItem()</code></dfn> method of a
@@ -95587,14 +95505,14 @@ interface <dfn>MimeType</dfn> {
9558795505
supported</span> by non-<span data-x="hidden plugin">hidden</span> <span
9558895506
data-x="plugin">plugins</span> represented by the corresponding <code>PluginArray</code> object, if
9558995507
any.
95590-
<!--INSERT FINGERPRINT-->
95508+
<!--INSERT TRACKING-->
9559195509
</p>
9559295510

9559395511
<p>The <dfn><code data-x="dom-MimeTypeArray-length">length</code></dfn> attribute must return the
9559495512
number of <span data-x="MIME type">MIME types</span> <span>explicitly supported</span> by non-<span
9559595513
data-x="hidden plugin">hidden</span> <span data-x="plugin">plugins</span> represented by the
9559695514
corresponding <code>PluginArray</code> object, if any.
95597-
<!--INSERT FINGERPRINT-->
95515+
<!--INSERT TRACKING-->
9559895516
</p>
9559995517

9560095518
<p>The <dfn><code data-x="dom-MimeTypeArray-item">item()</code></dfn> method of a
@@ -95616,14 +95534,14 @@ interface <dfn>MimeType</dfn> {
9561695534

9561795535
</ol>
9561895536

95619-
<p class="note">It is important <span class="no-backref" data-x="fingerprinting vector">for
95620-
privacy</span> that the order of MIME types not leak additional information, e.g. the order in
95537+
<p class="note">It is important <span class="no-backref" data-x="tracking vector">for
95538+
privacy</span> that the order of MIME types not leak additional information, e.g., the order in
9562195539
which plugins were installed.</p>
9562295540

9562395541
<p>The <span>supported property names</span> of a <code>MimeTypeArray</code> object are the values
9562495542
of the <code data-x="dom-MimeType-type">type</code> attributes of all the <code>MimeType</code>
9562595543
objects represented by the <code>MimeTypeArray</code> object.
95626-
<!--INSERT FINGERPRINT-->
95544+
<!--INSERT TRACKING-->
9562795545
</p>
9562895546

9562995547
<p>The <dfn><code data-x="dom-MimeTypeArray-namedItem">namedItem()</code></dfn> method of a
@@ -95652,12 +95570,12 @@ interface <dfn>MimeType</dfn> {
9565295570

9565395571
<p>The <span>supported property indices</span> of a <code data-x="dom-Plugin">Plugin</code> object
9565495572
are the numbers from zero to the number of <span>reported MIME types</span>.
95655-
<!--INSERT FINGERPRINT-->
95573+
<!--INSERT TRACKING-->
9565695574
</p>
9565795575

9565895576
<p>The <dfn><code data-x="dom-Plugin-length">length</code></dfn> attribute must return the number
9565995577
of <span>reported MIME types</span>.
95660-
<!--INSERT FINGERPRINT-->
95578+
<!--INSERT TRACKING-->
9566195579
</p>
9566295580

9566395581
<p>The <dfn><code data-x="dom-Plugin-item">item()</code></dfn> method of a <code
@@ -95677,14 +95595,14 @@ interface <dfn>MimeType</dfn> {
9567795595

9567895596
</ol>
9567995597

95680-
<p class="note">It is important <span class="no-backref" data-x="fingerprinting vector">for
95681-
privacy</span> that the order of MIME types not leak additional information, e.g. the order in
95598+
<p class="note">It is important <span class="no-backref" data-x="tracking vector">for
95599+
privacy</span> that the order of MIME types not leak additional information, e.g., the order in
9568295600
which plugins were installed.</p>
9568395601

9568495602
<p>The <span>supported property names</span> of a <code data-x="dom-Plugin">Plugin</code> object
9568595603
are the values of the <code data-x="dom-MimeType-type">type</code> attributes of the
9568695604
<code>MimeType</code> objects representing the <span>reported MIME types</span>.
95687-
<!--INSERT FINGERPRINT-->
95605+
<!--INSERT TRACKING-->
9568895606
</p>
9568995607

9569095608
<p>The <dfn><code data-x="dom-Plugin-namedItem">namedItem()</code></dfn> method of a <code
@@ -95710,7 +95628,7 @@ interface <dfn>MimeType</dfn> {
9571095628
data-x="dom-Plugin-description">description</code> attribute just return the same value as the
9571195629
<code data-x="dom-Plugin-name">name</code> attribute, and that the <code
9571295630
data-x="dom-Plugin-filename">filename</code> attribute return the empty string.
95713-
<!--INSERT FINGERPRINT-->
95631+
<!--INSERT TRACKING-->
9571495632
</p>
9571595633

9571695634
<hr>
@@ -95740,7 +95658,7 @@ interface <dfn>MimeType</dfn> {
9574095658
data-x="dom-MimeType-description">description</code> attribute just return the same value as the
9574195659
<code data-x="dom-MimeType-type">type</code> attribute, and that the <code
9574295660
data-x="dom-MimeType-suffixes">suffixes</code> attribute return the empty string.
95743-
<!--INSERT FINGERPRINT-->
95661+
<!--INSERT TRACKING-->
9574495662
</p>
9574595663

9574695664
<p class="note">Commas in the <code data-x="dom-MimeType-suffixes">suffixes</code> attribute are
@@ -95759,7 +95677,7 @@ interface <dfn>MimeType</dfn> {
9575995677
<p>The <dfn><code data-x="dom-navigator-javaEnabled">navigator.javaEnabled()</code></dfn> method
9576095678
must return true if the user agent supports a <span>plugin</span> that supports the <span>MIME
9576195679
type</span> "<code data-x="">application/x-java-vm</code>"; otherwise it must return false.
95762-
<!--INSERT FINGERPRINT-->
95680+
<!--INSERT TRACKING-->
9576395681
</p>
9576495682

9576595683
</div>
@@ -98433,8 +98351,11 @@ dictionary <dfn>CloseEventInit</dfn> : <span>EventInit</span> {
9843398351
that allows documents to communicate with each other regardless of their source domain, in a way
9843498352
designed to not enable cross-site scripting attacks.</p>
9843598353

98436-
<p class="note">This API <a href="#fingerprint-postMessage">has some privacy implications</a> that
98437-
might not be immediately obvious.</p>
98354+
<p class="note" id="fingerprint-postMessage">The <code
98355+
data-x="dom-window-postMessage">postMessage()</code> API can be used as a <span>tracking
98356+
vector</span>.
98357+
<!-- INSERT TRACKING -->
98358+
</p>
9843898359

9843998360
<div w-nodev>
9844098361

@@ -101220,7 +101141,8 @@ interface <dfn>SharedWorker</dfn> : <span>EventTarget</span> {
101220101141
data-x="dom-navigator-hardwareConcurrency">navigator.hardwareConcurrency</code></dfn> attribute's
101221101142
getter must return a number between 1 and the number of logical processors potentially available
101222101143
to the user agent. If this cannot be determined, the getter must return 1.
101223-
<!--INSERT FINGERPRINT--></p>
101144+
<!--INSERT TRACKING-->
101145+
</p>
101224101146

101225101147
<p>User agents should err toward exposing the number of logical processors available, using lower
101226101148
values only in cases where there are user-agent specific limits in place (such as a limitation
@@ -101782,7 +101704,7 @@ interface <dfn>Storage</dfn> {
101782101704

101783101705
<p>The <dfn><code data-x="dom-localStorage">localStorage</code></dfn> object provides a
101784101706
<code>Storage</code> object for an <span>origin</span>.
101785-
<!--INSERT FINGERPRINT-->
101707+
<!--INSERT TRACKING-->
101786101708
</p>
101787101709

101788101710
<dl class="domintro">

0 commit comments

Comments
 (0)