@@ -783,94 +783,6 @@ interface <dfn data-x="">Example</dfn> {
783
783
784
784
785
785
786
- <h3 id="fingerprint">Privacy concerns</h3>
787
-
788
- <!-- NON-NORMATIVE SECTION -->
789
-
790
- <p>Some features of HTML trade user convenience for a measure of user privacy.</p>
791
-
792
- <p>In general, due to the Internet's architecture, a user can be distinguished from another by the
793
- user's IP address. IP addresses do not perfectly match to a user; as a user moves from device to
794
- device, or from network to network, their IP address will change; similarly, NAT routing, proxy
795
- servers, and shared computers enable packets that appear to all come from a single IP address to
796
- actually map to multiple users. Technologies such as onion routing can be used to further
797
- anonymize requests so that requests from a single user at one node on the Internet appear to come
798
- from many disparate parts of the network.</p>
799
-
800
- <p>However, the IP address used for a user's requests is not the only mechanism by which a user's
801
- requests could be related to each other. Cookies, for example, are designed specifically to enable
802
- this, and are the basis of most of the Web's session features that enable you to log into a site
803
- with which you have an account.</p>
804
-
805
- <p>There are other mechanisms that are more subtle. Certain characteristics of a user's system can
806
- be used to distinguish groups of users from each other; by collecting enough such information, an
807
- individual user's browser's "digital fingerprint" can be computed, which can be as good as, if not
808
- better than, an IP address in ascertaining which requests are from the same user.</p>
809
-
810
- <p>Grouping requests in this manner, especially across multiple sites, can be used for both benign
811
- (and even arguably positive) purposes, as well as for malevolent purposes. An example of a
812
- reasonably benign purpose would be determining whether a particular person seems to prefer sites
813
- with dog illustrations as opposed to sites with cat illustrations (based on how often they visit
814
- the sites in question) and then automatically using the preferred illustrations on subsequent
815
- visits to participating sites. Malevolent purposes, however, could include governments combining
816
- information such as the person's home address (determined from the addresses they use when getting
817
- driving directions on one site) with their apparent political affiliations (determined by
818
- examining the forum sites that they participate in) to determine whether the person should be
819
- prevented from voting in an election.</p>
820
-
821
- <p>Since the malevolent purposes can be remarkably evil, user agent implementers are encouraged to
822
- consider how to provide their users with tools to minimize leaking information that could be used
823
- to fingerprint a user.</p>
824
-
825
- <p>Unfortunately, as the first paragraph in this section implies, sometimes there is great benefit
826
- to be derived from exposing the very information that can also be used for fingerprinting
827
- purposes, so it's not as easy as simply blocking all possible leaks. For instance, the ability to
828
- log into a site to post under a specific identity requires that the user's requests be
829
- identifiable as all being from the same user, more or less by definition. More subtly, though,
830
- information such as how wide text is, which is necessary for many effects that involve drawing
831
- text onto a canvas (e.g. any effect that involves drawing a border around the text) also leaks
832
- information that can be used to group a user's requests. (In this case, by potentially exposing,
833
- via a brute force search, which fonts a user has installed, information which can vary
834
- considerably from user to user.)</p>
835
-
836
- <p w-nodev>Features in this specification which can be <dfn data-x="fingerprinting vector">used to
837
- fingerprint the user</dfn> are marked as this paragraph is.
838
- <!--INSERT FINGERPRINT-->
839
- </p>
840
-
841
- <p>Other features in the platform can be used for the same purpose, though, including, though not
842
- limited to:</p>
843
-
844
- <ul>
845
-
846
- <li>The exact list of which features a user agents supports.</li>
847
-
848
- <li>The maximum allowed stack depth for recursion in script.</li>
849
-
850
- <li>Features that describe the user's environment, like Media Queries and the <code>Screen</code>
851
- object. <ref spec=MQ> <ref spec=CSSOMVIEW></li>
852
-
853
- <li>The user's time zone.</li>
854
-
855
- </ul>
856
-
857
-
858
- <h4 id="fingerprint-postMessage">Cross-site communication</h4>
859
-
860
- <p>The <code data-x="dom-window-postMessage">postMessage()</code> API provides a mechanism by
861
- which two sites can communicate directly. At first glance, this might appear to open a new way by
862
- which the problems described above can occur. However, in practice, multiple mechanisms exist by
863
- which two sites can communicate that predate this API: a site embedding another can send data via
864
- an <code>iframe</code> element's dimensions; a site can use a cross-site image request with a
865
- unique identifier known to the server to initiate a server-side data exchange; or indeed the
866
- fingerprinting techniques described above can be used by two sites to uniquely identify a visitor
867
- such that information can then be exchanged on the server side.</p>
868
-
869
- <p>Fundamentally, users that do not trust a site to treat their information with respect have to
870
- avoid visiting that site at all.</p>
871
-
872
-
873
-
874
786
875
787
<h3>A quick introduction to HTML</h3>
876
788
@@ -2172,7 +2084,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
2172
2084
fingerprinting vector that increases the chances of users being uniquely identified, user agents
2173
2085
are encouraged to support the exact same set of <span data-x="plugin">plugins</span> for each
2174
2086
user.
2175
- <!--INSERT FINGERPRINT -->
2087
+ <!--INSERT TRACKING -->
2176
2088
</p>
2177
2089
2178
2090
</div>
@@ -2434,7 +2346,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
2434
2346
<p id="hardwareLimitations">User agents may impose implementation-specific limits on otherwise
2435
2347
unconstrained inputs, e.g. to prevent denial of service attacks, to guard against running out of
2436
2348
memory, or to work around platform-specific limitations.
2437
- <!--INSERT FINGERPRINT -->
2349
+ <!--INSERT TRACKING -->
2438
2350
</p>
2439
2351
2440
2352
<p>For compatibility with existing content and prior specifications, this specification describes
@@ -2472,6 +2384,10 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
2472
2384
<li>The general iteration terms <dfn data-x-href="https://infra.spec.whatwg.org/#iteration-while">while</dfn>,
2473
2385
<dfn data-x-href="https://infra.spec.whatwg.org/#iteration-continue">continue</dfn>, and
2474
2386
<dfn data-x-href="https://infra.spec.whatwg.org/#iteration-break">break</dfn>.</li>
2387
+ <li id="fingerprint"><span id="fingerprinting-vector"></span><dfn
2388
+ data-x-href="https://infra.spec.whatwg.org/#tracking-vector">tracking vector</dfn>
2389
+ <!-- INSERT TRACKING -->
2390
+ </li>
2475
2391
<li><dfn data-x-href="https://infra.spec.whatwg.org/#code-point">code point</dfn> and its synonym
2476
2392
<dfn data-x-href="https://infra.spec.whatwg.org/#code-point">character</dfn></li>
2477
2393
<li><dfn data-x-href="https://infra.spec.whatwg.org/#surrogate">surrogate</dfn></li>
@@ -9471,7 +9387,9 @@ partial interface <dfn id="document" data-lt="">Document</dfn> {
9471
9387
origin</span>, the user agent must throw a <span>"<code>SecurityError</code>"</span>
9472
9388
<code>DOMException</code>. Otherwise, the user agent must return the <span>cookie-string</span>
9473
9389
for the document's <span data-x="concept-document-url">URL</span> for a "non-HTTP" API, decoded
9474
- using <span>UTF-8 decode without BOM</span>. <ref spec=COOKIES><!--INSERT FINGERPRINT--></p>
9390
+ using <span>UTF-8 decode without BOM</span>. <ref spec=COOKIES>
9391
+ <!--INSERT TRACKING-->
9392
+ </p>
9475
9393
9476
9394
<p>On setting, if the document is a <span>cookie-averse <code>Document</code> object</span>, then
9477
9395
the user agent must do nothing. Otherwise, if the <code>Document</code>'s <span>origin</span> is
@@ -34415,7 +34333,7 @@ interface <dfn>MediaError</dfn> {
34415
34333
<span>media resource</span>. In the even rarer case of a <span>media resource</span> with no
34416
34334
explicit timings of any kind, not even frame durations, the user agent must itself determine the
34417
34335
time for each frame in a user-agent-defined manner.
34418
- <!--INSERT FINGERPRINT -->
34336
+ <!--INSERT TRACKING -->
34419
34337
</p>
34420
34338
34421
34339
<p class="note">An example of a file format with no explicit timeline but with explicit frame
@@ -48164,7 +48082,7 @@ ldh-str = < as defined in <a href="https://tools.ietf.org/html/rfc1034#
48164
48082
implementation-defined string that means "Submit" or some such.</span> The element is a <span
48165
48083
data-x="concept-button">button</span>, specifically a <span data-x="concept-submit-button">submit
48166
48084
button</span>.
48167
- <!--INSERT FINGERPRINT -->
48085
+ <!--INSERT TRACKING -->
48168
48086
</p>
48169
48087
48170
48088
<p class="note">Since the default label is implementation-defined, and the width of the button
@@ -48537,7 +48455,7 @@ ldh-str = < as defined in <a href="https://tools.ietf.org/html/rfc1034#
48537
48455
attribute, the button's label must be the value of that attribute; otherwise, it must be an
48538
48456
implementation-defined string that means "Reset" or some such.</span> The element is a <span
48539
48457
data-x="concept-button">button</span>.
48540
- <!--INSERT FINGERPRINT -->
48458
+ <!--INSERT TRACKING -->
48541
48459
</p>
48542
48460
48543
48461
<p class="note">Since the default label is implementation-defined, and the width of the button
@@ -63768,7 +63686,7 @@ try {
63768
63686
the <code>CanvasText</code> interface, and then using the returned <span>inline box</span> must
63769
63687
return a new <code>TextMetrics</code> object with members behaving as described in the following
63770
63688
list: <ref spec=CSS>
63771
- <!--INSERT FINGERPRINT -->
63689
+ <!--INSERT TRACKING -->
63772
63690
</p>
63773
63691
63774
63692
</div>
@@ -75138,7 +75056,7 @@ addShortcutKeyLabel(document.getElementById('c'));</code></pre>
75138
75056
key that corresponds to the value given in the attribute, can be used as the access key, then
75139
75057
the user agent may assign that combination of keys as the element's <span>assigned access
75140
75058
key</span> and return.
75141
- <!--INSERT FINGERPRINT -->
75059
+ <!--INSERT TRACKING -->
75142
75060
</p></li>
75143
75061
75144
75062
</ol>
@@ -88047,7 +87965,7 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
88047
87965
<li>The user has not disabled scripting for this <span>browsing context</span> at this time.
88048
87966
(User agents may provide users with the option to disable scripting globally, or in a
88049
87967
finer-grained manner, e.g. on a per-origin basis.)
88050
- <!--INSERT FINGERPRINT -->
87968
+ <!--INSERT TRACKING -->
88051
87969
</li>
88052
87970
88053
87971
<li id="sandboxScriptBlocked">The <span>browsing context</span>'s <span>active document</span>'s
@@ -90969,7 +90887,7 @@ import "https://example.com/foo/../module2.mjs";</code></pre>
90969
90887
90970
90888
<li><p>Let <var>message</var> be a user-agent-defined string describing the error in a
90971
90889
helpful manner.
90972
- <!--INSERT FINGERPRINT -->
90890
+ <!--INSERT TRACKING -->
90973
90891
</p></li>
90974
90892
90975
90893
<li><p>Let <var>errorValue</var> be the value that represents the error: in the case of an
@@ -94863,7 +94781,7 @@ interface <dfn>Navigator</dfn> {
94863
94781
profile the user. In fact, if enough such information is available, a user can actually be
94864
94782
uniquely identified. For this reason, user agent implementers are strongly urged to include as
94865
94783
little information in this API as possible.
94866
- <!--INSERT FINGERPRINT -->
94784
+ <!--INSERT TRACKING -->
94867
94785
</p>
94868
94786
94869
94787
</div>
@@ -94944,7 +94862,7 @@ interface <dfn>Navigator</dfn> {
94944
94862
94945
94863
<li>Any information in this API that varies from user to user can be used to profile or identify
94946
94864
the user.
94947
- <!--INSERT FINGERPRINT -->
94865
+ <!--INSERT TRACKING -->
94948
94866
</li>
94949
94867
94950
94868
<li>If the user is not using a service that obfuscates the user's point of origin (e.g. the Tor
@@ -94961,7 +94879,7 @@ interface <dfn>Navigator</dfn> {
94961
94879
<p>To avoid introducing any more fingerprinting vectors, user agents should use the same list for
94962
94880
the APIs defined in this function as for the HTTP `<code
94963
94881
data-x="http-accept-language">Accept-Language</code>` header.
94964
- <!--INSERT FINGERPRINT -->
94882
+ <!--INSERT TRACKING -->
94965
94883
</p>
94966
94884
94967
94885
</div>
@@ -95508,13 +95426,13 @@ interface <dfn>MimeType</dfn> {
95508
95426
<p>The <span>supported property indices</span> of a <code>PluginArray</code> object are the
95509
95427
numbers from zero to the number of non-<span data-x="hidden plugin">hidden</span> <span
95510
95428
data-x="plugin">plugins</span> represented by the object, if any.
95511
- <!--INSERT FINGERPRINT -->
95429
+ <!--INSERT TRACKING -->
95512
95430
</p>
95513
95431
95514
95432
<p>The <dfn><code data-x="dom-PluginArray-length">length</code></dfn> attribute must return the
95515
95433
number of non-<span data-x="hidden plugin">hidden</span> <span data-x="plugin">plugins</span>
95516
95434
represented by the object.
95517
- <!--INSERT FINGERPRINT -->
95435
+ <!--INSERT TRACKING -->
95518
95436
</p>
95519
95437
95520
95438
<p>The <dfn><code data-x="dom-PluginArray-item">item()</code></dfn> method of a
@@ -95535,14 +95453,14 @@ interface <dfn>MimeType</dfn> {
95535
95453
95536
95454
</ol>
95537
95455
95538
- <p class="note">It is important <span class="no-backref" data-x="fingerprinting vector">for
95539
- privacy</span> that the order of plugins not leak additional information, e.g. the order in which
95456
+ <p class="note">It is important <span class="no-backref" data-x="tracking vector">for
95457
+ privacy</span> that the order of plugins not leak additional information, e.g., the order in which
95540
95458
plugins were installed.</p>
95541
95459
95542
95460
<p>The <span>supported property names</span> of a <code>PluginArray</code> object are the values
95543
95461
of the <code data-x="dom-Plugin-name">name</code> attributes of all the <code
95544
95462
data-x="dom-Plugin">Plugin</code> objects represented by the <code>PluginArray</code> object.
95545
- <!--INSERT FINGERPRINT -->
95463
+ <!--INSERT TRACKING -->
95546
95464
</p>
95547
95465
95548
95466
<p>The <dfn><code data-x="dom-PluginArray-namedItem">namedItem()</code></dfn> method of a
@@ -95587,14 +95505,14 @@ interface <dfn>MimeType</dfn> {
95587
95505
supported</span> by non-<span data-x="hidden plugin">hidden</span> <span
95588
95506
data-x="plugin">plugins</span> represented by the corresponding <code>PluginArray</code> object, if
95589
95507
any.
95590
- <!--INSERT FINGERPRINT -->
95508
+ <!--INSERT TRACKING -->
95591
95509
</p>
95592
95510
95593
95511
<p>The <dfn><code data-x="dom-MimeTypeArray-length">length</code></dfn> attribute must return the
95594
95512
number of <span data-x="MIME type">MIME types</span> <span>explicitly supported</span> by non-<span
95595
95513
data-x="hidden plugin">hidden</span> <span data-x="plugin">plugins</span> represented by the
95596
95514
corresponding <code>PluginArray</code> object, if any.
95597
- <!--INSERT FINGERPRINT -->
95515
+ <!--INSERT TRACKING -->
95598
95516
</p>
95599
95517
95600
95518
<p>The <dfn><code data-x="dom-MimeTypeArray-item">item()</code></dfn> method of a
@@ -95616,14 +95534,14 @@ interface <dfn>MimeType</dfn> {
95616
95534
95617
95535
</ol>
95618
95536
95619
- <p class="note">It is important <span class="no-backref" data-x="fingerprinting vector">for
95620
- privacy</span> that the order of MIME types not leak additional information, e.g. the order in
95537
+ <p class="note">It is important <span class="no-backref" data-x="tracking vector">for
95538
+ privacy</span> that the order of MIME types not leak additional information, e.g., the order in
95621
95539
which plugins were installed.</p>
95622
95540
95623
95541
<p>The <span>supported property names</span> of a <code>MimeTypeArray</code> object are the values
95624
95542
of the <code data-x="dom-MimeType-type">type</code> attributes of all the <code>MimeType</code>
95625
95543
objects represented by the <code>MimeTypeArray</code> object.
95626
- <!--INSERT FINGERPRINT -->
95544
+ <!--INSERT TRACKING -->
95627
95545
</p>
95628
95546
95629
95547
<p>The <dfn><code data-x="dom-MimeTypeArray-namedItem">namedItem()</code></dfn> method of a
@@ -95652,12 +95570,12 @@ interface <dfn>MimeType</dfn> {
95652
95570
95653
95571
<p>The <span>supported property indices</span> of a <code data-x="dom-Plugin">Plugin</code> object
95654
95572
are the numbers from zero to the number of <span>reported MIME types</span>.
95655
- <!--INSERT FINGERPRINT -->
95573
+ <!--INSERT TRACKING -->
95656
95574
</p>
95657
95575
95658
95576
<p>The <dfn><code data-x="dom-Plugin-length">length</code></dfn> attribute must return the number
95659
95577
of <span>reported MIME types</span>.
95660
- <!--INSERT FINGERPRINT -->
95578
+ <!--INSERT TRACKING -->
95661
95579
</p>
95662
95580
95663
95581
<p>The <dfn><code data-x="dom-Plugin-item">item()</code></dfn> method of a <code
@@ -95677,14 +95595,14 @@ interface <dfn>MimeType</dfn> {
95677
95595
95678
95596
</ol>
95679
95597
95680
- <p class="note">It is important <span class="no-backref" data-x="fingerprinting vector">for
95681
- privacy</span> that the order of MIME types not leak additional information, e.g. the order in
95598
+ <p class="note">It is important <span class="no-backref" data-x="tracking vector">for
95599
+ privacy</span> that the order of MIME types not leak additional information, e.g., the order in
95682
95600
which plugins were installed.</p>
95683
95601
95684
95602
<p>The <span>supported property names</span> of a <code data-x="dom-Plugin">Plugin</code> object
95685
95603
are the values of the <code data-x="dom-MimeType-type">type</code> attributes of the
95686
95604
<code>MimeType</code> objects representing the <span>reported MIME types</span>.
95687
- <!--INSERT FINGERPRINT -->
95605
+ <!--INSERT TRACKING -->
95688
95606
</p>
95689
95607
95690
95608
<p>The <dfn><code data-x="dom-Plugin-namedItem">namedItem()</code></dfn> method of a <code
@@ -95710,7 +95628,7 @@ interface <dfn>MimeType</dfn> {
95710
95628
data-x="dom-Plugin-description">description</code> attribute just return the same value as the
95711
95629
<code data-x="dom-Plugin-name">name</code> attribute, and that the <code
95712
95630
data-x="dom-Plugin-filename">filename</code> attribute return the empty string.
95713
- <!--INSERT FINGERPRINT -->
95631
+ <!--INSERT TRACKING -->
95714
95632
</p>
95715
95633
95716
95634
<hr>
@@ -95740,7 +95658,7 @@ interface <dfn>MimeType</dfn> {
95740
95658
data-x="dom-MimeType-description">description</code> attribute just return the same value as the
95741
95659
<code data-x="dom-MimeType-type">type</code> attribute, and that the <code
95742
95660
data-x="dom-MimeType-suffixes">suffixes</code> attribute return the empty string.
95743
- <!--INSERT FINGERPRINT -->
95661
+ <!--INSERT TRACKING -->
95744
95662
</p>
95745
95663
95746
95664
<p class="note">Commas in the <code data-x="dom-MimeType-suffixes">suffixes</code> attribute are
@@ -95759,7 +95677,7 @@ interface <dfn>MimeType</dfn> {
95759
95677
<p>The <dfn><code data-x="dom-navigator-javaEnabled">navigator.javaEnabled()</code></dfn> method
95760
95678
must return true if the user agent supports a <span>plugin</span> that supports the <span>MIME
95761
95679
type</span> "<code data-x="">application/x-java-vm</code>"; otherwise it must return false.
95762
- <!--INSERT FINGERPRINT -->
95680
+ <!--INSERT TRACKING -->
95763
95681
</p>
95764
95682
95765
95683
</div>
@@ -98433,8 +98351,11 @@ dictionary <dfn>CloseEventInit</dfn> : <span>EventInit</span> {
98433
98351
that allows documents to communicate with each other regardless of their source domain, in a way
98434
98352
designed to not enable cross-site scripting attacks.</p>
98435
98353
98436
- <p class="note">This API <a href="#fingerprint-postMessage">has some privacy implications</a> that
98437
- might not be immediately obvious.</p>
98354
+ <p class="note" id="fingerprint-postMessage">The <code
98355
+ data-x="dom-window-postMessage">postMessage()</code> API can be used as a <span>tracking
98356
+ vector</span>.
98357
+ <!-- INSERT TRACKING -->
98358
+ </p>
98438
98359
98439
98360
<div w-nodev>
98440
98361
@@ -101220,7 +101141,8 @@ interface <dfn>SharedWorker</dfn> : <span>EventTarget</span> {
101220
101141
data-x="dom-navigator-hardwareConcurrency">navigator.hardwareConcurrency</code></dfn> attribute's
101221
101142
getter must return a number between 1 and the number of logical processors potentially available
101222
101143
to the user agent. If this cannot be determined, the getter must return 1.
101223
- <!--INSERT FINGERPRINT--></p>
101144
+ <!--INSERT TRACKING-->
101145
+ </p>
101224
101146
101225
101147
<p>User agents should err toward exposing the number of logical processors available, using lower
101226
101148
values only in cases where there are user-agent specific limits in place (such as a limitation
@@ -101782,7 +101704,7 @@ interface <dfn>Storage</dfn> {
101782
101704
101783
101705
<p>The <dfn><code data-x="dom-localStorage">localStorage</code></dfn> object provides a
101784
101706
<code>Storage</code> object for an <span>origin</span>.
101785
- <!--INSERT FINGERPRINT -->
101707
+ <!--INSERT TRACKING -->
101786
101708
</p>
101787
101709
101788
101710
<dl class="domintro">
0 commit comments