Use Infra as infrastructure for tracking/fingerprinting marking

This depends on whatwg/wattsi#41, whatwg/infra#115 (which depends on speced/bikeshed#964), and whatwg/whatwg.org#64.

Author: annevk

source

@@ -785,94 +785,6 @@ interface <dfn data-x="">Example</dfn> {
 
 
 
-  <h3 id="fingerprint">Privacy concerns</h3>
-
-  <!-- NON-NORMATIVE SECTION -->
-
-  <p>Some features of HTML trade user convenience for a measure of user privacy.</p>
-
-  <p>In general, due to the Internet's architecture, a user can be distinguished from another by the
-  user's IP address. IP addresses do not perfectly match to a user; as a user moves from device to
-  device, or from network to network, their IP address will change; similarly, NAT routing, proxy
-  servers, and shared computers enable packets that appear to all come from a single IP address to
-  actually map to multiple users. Technologies such as onion routing can be used to further
-  anonymize requests so that requests from a single user at one node on the Internet appear to come
-  from many disparate parts of the network.</p>
-
-  <p>However, the IP address used for a user's requests is not the only mechanism by which a user's
-  requests could be related to each other. Cookies, for example, are designed specifically to enable
-  this, and are the basis of most of the Web's session features that enable you to log into a site
-  with which you have an account.</p>
-
-  <p>There are other mechanisms that are more subtle. Certain characteristics of a user's system can
-  be used to distinguish groups of users from each other; by collecting enough such information, an
-  individual user's browser's "digital fingerprint" can be computed, which can be as good as, if not
-  better than, an IP address in ascertaining which requests are from the same user.</p>
-
-  <p>Grouping requests in this manner, especially across multiple sites, can be used for both benign
-  (and even arguably positive) purposes, as well as for malevolent purposes. An example of a
-  reasonably benign purpose would be determining whether a particular person seems to prefer sites
-  with dog illustrations as opposed to sites with cat illustrations (based on how often they visit
-  the sites in question) and then automatically using the preferred illustrations on subsequent
-  visits to participating sites. Malevolent purposes, however, could include governments combining
-  information such as the person's home address (determined from the addresses they use when getting
-  driving directions on one site) with their apparent political affiliations (determined by
-  examining the forum sites that they participate in) to determine whether the person should be
-  prevented from voting in an election.</p>
-
-  <p>Since the malevolent purposes can be remarkably evil, user agent implementers are encouraged to
-  consider how to provide their users with tools to minimize leaking information that could be used
-  to fingerprint a user.</p>
-
-  <p>Unfortunately, as the first paragraph in this section implies, sometimes there is great benefit
-  to be derived from exposing the very information that can also be used for fingerprinting
-  purposes, so it's not as easy as simply blocking all possible leaks. For instance, the ability to
-  log into a site to post under a specific identity requires that the user's requests be
-  identifiable as all being from the same user, more or less by definition. More subtly, though,
-  information such as how wide text is, which is necessary for many effects that involve drawing
-  text onto a canvas (e.g. any effect that involves drawing a border around the text) also leaks
-  information that can be used to group a user's requests. (In this case, by potentially exposing,
-  via a brute force search, which fonts a user has installed, information which can vary
-  considerably from user to user.)</p>
-
-  <p w-nodev>Features in this specification which can be <dfn data-x="fingerprinting vector">used to
-  fingerprint the user</dfn> are marked as this paragraph is.
-  <!--INSERT FINGERPRINT-->
-  </p>
-
-  <p>Other features in the platform can be used for the same purpose, though, including, though not
-  limited to:</p>
-
-  <ul>
-
-   <li>The exact list of which features a user agents supports.</li>
-
-   <li>The maximum allowed stack depth for recursion in script.</li>
-
-   <li>Features that describe the user's environment, like Media Queries and the <code>Screen</code>
-   object. <ref spec=MQ> <ref spec=CSSOMVIEW></li>
-
-   <li>The user's time zone.</li>
-
-  </ul>
-
-
-  <h4 id="fingerprint-postMessage">Cross-site communication</h4>
-
-  <p>The <code data-x="dom-window-postMessage">postMessage()</code> API provides a mechanism by
-  which two sites can communicate directly. At first glance, this might appear to open a new way by
-  which the problems described above can occur. However, in practice, multiple mechanisms exist by
-  which two sites can communicate that predate this API: a site embedding another can send data via
-  an <code>iframe</code> element's dimensions; a site can use a cross-site image request with a
-  unique identifier known to the server to initiate a server-side data exchange; or indeed the
-  fingerprinting techniques described above can be used by two sites to uniquely identify a visitor
-  such that information can then be exchanged on the server side.</p>
-
-  <p>Fundamentally, users that do not trust a site to treat their information with respect have to
-  avoid visiting that site at all.</p>
-
-
-
 
   <h3>A quick introduction to HTML</h3>
 
@@ -2174,7 +2086,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
   fingerprinting vector that increases the chances of users being uniquely identified, user agents
   are encouraged to support the exact same set of <span data-x="plugin">plugins</span> for each
   user.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   </div>
@@ -2436,7 +2348,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
   <p id="hardwareLimitations">User agents may impose implementation-specific limits on otherwise
   unconstrained inputs, e.g. to prevent denial of service attacks, to guard against running out of
   memory, or to work around platform-specific limitations.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   <p>For compatibility with existing content and prior specifications, this specification describes
@@ -2474,6 +2386,10 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li>The general iteration terms <dfn data-x-href="https://infra.spec.whatwg.org/#iteration-while">while</dfn>,
              <dfn data-x-href="https://infra.spec.whatwg.org/#iteration-continue">continue</dfn>, and
              <dfn data-x-href="https://infra.spec.whatwg.org/#iteration-break">break</dfn>.</li>
+     <li id="fingerprint"><span id="fingerprinting-vector"></span><dfn
+     data-x-href="https://infra.spec.whatwg.org/#tracking-vector">tracking vector</dfn>
+     <!-- INSERT TRACKING -->
+     </li>
      <li><dfn data-x-href="https://infra.spec.whatwg.org/#code-point">code point</dfn> and its synonym
          <dfn data-x-href="https://infra.spec.whatwg.org/#code-point">character</dfn></li>
      <li><dfn data-x-href="https://infra.spec.whatwg.org/#surrogate">surrogate</dfn></li>
@@ -9469,7 +9385,9 @@ partial interface <dfn id="document" data-lt="">Document</dfn> {
   origin</span>, the user agent must throw a <span>"<code>SecurityError</code>"</span>
   <code>DOMException</code>. Otherwise, the user agent must return the <span>cookie-string</span>
   for the document's <span data-x="concept-document-url">URL</span> for a "non-HTTP" API, decoded
-  using <span>UTF-8 decode without BOM</span>. <ref spec=COOKIES><!--INSERT FINGERPRINT--></p>
+  using <span>UTF-8 decode without BOM</span>. <ref spec=COOKIES>
+  <!--INSERT TRACKING-->
+  </p>
 
   <p>On setting, if the document is a <span>cookie-averse <code>Document</code> object</span>, then
   the user agent must do nothing. Otherwise, if the <code>Document</code>'s <span>origin</span> is
@@ -34757,7 +34675,7 @@ interface <dfn>MediaError</dfn> {
   <span>media resource</span>. In the even rarer case of a <span>media resource</span> with no
   explicit timings of any kind, not even frame durations, the user agent must itself determine the
   time for each frame in a user-agent-defined manner.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   <p class="note">An example of a file format with no explicit timeline but with explicit frame
@@ -48669,7 +48587,7 @@ ldh-str       = &lt; as defined in <a href="https://tools.ietf.org/html/rfc1034#
   implementation-defined string that means "Submit" or some such.</span> The element is a <span
   data-x="concept-button">button</span>, specifically a <span data-x="concept-submit-button">submit
   button</span>.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   <p class="note">Since the default label is implementation-defined, and the width of the button
@@ -49042,7 +48960,7 @@ ldh-str       = &lt; as defined in <a href="https://tools.ietf.org/html/rfc1034#
   attribute, the button's label must be the value of that attribute; otherwise, it must be an
   implementation-defined string that means "Reset" or some such.</span> The element is a <span
   data-x="concept-button">button</span>.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   <p class="note">Since the default label is implementation-defined, and the width of the button
@@ -64345,7 +64263,7 @@ try {
   the <code>CanvasText</code> interface, and then using the returned <span>inline box</span> must
   return a new <code>TextMetrics</code> object with members behaving as described in the following
   list: <ref spec=CSS>
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   </div>
@@ -75869,7 +75787,7 @@ addShortcutKeyLabel(document.getElementById('c'));</code></pre>
      key that corresponds to the value given in the attribute, can be used as the access key, then
      the user agent may assign that combination of keys as the element's <span>assigned access
      key</span> and return.
-     <!--INSERT FINGERPRINT-->
+     <!--INSERT TRACKING-->
      </p></li>
 
     </ol>
@@ -88884,7 +88802,7 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
    <li>The user has not disabled scripting for this <span>browsing context</span> at this time.
    (User agents may provide users with the option to disable scripting globally, or in a
    finer-grained manner, e.g. on a per-origin basis.)
-   <!--INSERT FINGERPRINT-->
+   <!--INSERT TRACKING-->
    </li>
 
    <li id="sandboxScriptBlocked">The <span>browsing context</span>'s <span>active document</span>'s
@@ -91671,7 +91589,7 @@ import "https://example.com/foo/../module2.mjs";</code></pre>
 
    <li><p>Let <var>message</var> be a user-agent-defined string describing the error in a
    helpful manner.
-   <!--INSERT FINGERPRINT-->
+   <!--INSERT TRACKING-->
    </p></li>
 
    <li><p>Let <var>errorValue</var> be the value that represents the error: in the case of an
@@ -95585,7 +95503,7 @@ interface <dfn>Navigator</dfn> {
   profile the user. In fact, if enough such information is available, a user can actually be
   uniquely identified. For this reason, user agent implementers are strongly urged to include as
   little information in this API as possible.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   </div>
@@ -95666,7 +95584,7 @@ interface <dfn>Navigator</dfn> {
 
    <li>Any information in this API that varies from user to user can be used to profile or identify
    the user.
-   <!--INSERT FINGERPRINT-->
+   <!--INSERT TRACKING-->
    </li>
 
    <li>If the user is not using a service that obfuscates the user's point of origin (e.g. the Tor
@@ -95683,7 +95601,7 @@ interface <dfn>Navigator</dfn> {
   <p>To avoid introducing any more fingerprinting vectors, user agents should use the same list for
   the APIs defined in this function as for the HTTP `<code
   data-x="http-accept-language">Accept-Language</code>` header.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   </div>
@@ -96216,13 +96134,13 @@ interface <dfn>MimeType</dfn> {
   <p>The <span>supported property indices</span> of a <code>PluginArray</code> object are the
   numbers from zero to the number of non-<span data-x="hidden plugin">hidden</span> <span
   data-x="plugin">plugins</span> represented by the object, if any.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   <p>The <dfn><code data-x="dom-PluginArray-length">length</code></dfn> attribute must return the
   number of non-<span data-x="hidden plugin">hidden</span> <span data-x="plugin">plugins</span>
   represented by the object.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   <p>The <dfn><code data-x="dom-PluginArray-item">item()</code></dfn> method of a
@@ -96243,14 +96161,14 @@ interface <dfn>MimeType</dfn> {
 
   </ol>
 
-  <p class="note">It is important <span class="no-backref" data-x="fingerprinting vector">for
-  privacy</span> that the order of plugins not leak additional information, e.g. the order in which
+  <p class="note">It is important <span class="no-backref" data-x="tracking vector">for
+  privacy</span> that the order of plugins not leak additional information, e.g., the order in which
   plugins were installed.</p>
 
   <p>The <span>supported property names</span> of a <code>PluginArray</code> object are the values
   of the <code data-x="dom-Plugin-name">name</code> attributes of all the <code
   data-x="dom-Plugin">Plugin</code> objects represented by the <code>PluginArray</code> object.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   <p>The <dfn><code data-x="dom-PluginArray-namedItem">namedItem()</code></dfn> method of a
@@ -96295,14 +96213,14 @@ interface <dfn>MimeType</dfn> {
   supported</span> by non-<span data-x="hidden plugin">hidden</span> <span
   data-x="plugin">plugins</span> represented by the corresponding <code>PluginArray</code> object, if
   any.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   <p>The <dfn><code data-x="dom-MimeTypeArray-length">length</code></dfn> attribute must return the
   number of <span data-x="MIME type">MIME types</span> <span>explicitly supported</span> by non-<span
   data-x="hidden plugin">hidden</span> <span data-x="plugin">plugins</span> represented by the
   corresponding <code>PluginArray</code> object, if any.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   <p>The <dfn><code data-x="dom-MimeTypeArray-item">item()</code></dfn> method of a
@@ -96324,14 +96242,14 @@ interface <dfn>MimeType</dfn> {
 
   </ol>
 
-  <p class="note">It is important <span class="no-backref" data-x="fingerprinting vector">for
-  privacy</span> that the order of MIME types not leak additional information, e.g. the order in
+  <p class="note">It is important <span class="no-backref" data-x="tracking vector">for
+  privacy</span> that the order of MIME types not leak additional information, e.g., the order in
   which plugins were installed.</p>
 
   <p>The <span>supported property names</span> of a <code>MimeTypeArray</code> object are the values
   of the <code data-x="dom-MimeType-type">type</code> attributes of all the <code>MimeType</code>
   objects represented by the <code>MimeTypeArray</code> object.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   <p>The <dfn><code data-x="dom-MimeTypeArray-namedItem">namedItem()</code></dfn> method of a
@@ -96360,12 +96278,12 @@ interface <dfn>MimeType</dfn> {
 
   <p>The <span>supported property indices</span> of a <code data-x="dom-Plugin">Plugin</code> object
   are the numbers from zero to the number of <span>reported MIME types</span>.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   <p>The <dfn><code data-x="dom-Plugin-length">length</code></dfn> attribute must return the number
   of <span>reported MIME types</span>.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   <p>The <dfn><code data-x="dom-Plugin-item">item()</code></dfn> method of a <code
@@ -96385,14 +96303,14 @@ interface <dfn>MimeType</dfn> {
 
   </ol>
 
-  <p class="note">It is important <span class="no-backref" data-x="fingerprinting vector">for
-  privacy</span> that the order of MIME types not leak additional information, e.g. the order in
+  <p class="note">It is important <span class="no-backref" data-x="tracking vector">for
+  privacy</span> that the order of MIME types not leak additional information, e.g., the order in
   which plugins were installed.</p>
 
   <p>The <span>supported property names</span> of a <code data-x="dom-Plugin">Plugin</code> object
   are the values of the <code data-x="dom-MimeType-type">type</code> attributes of the
   <code>MimeType</code> objects representing the <span>reported MIME types</span>.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   <p>The <dfn><code data-x="dom-Plugin-namedItem">namedItem()</code></dfn> method of a <code
@@ -96418,7 +96336,7 @@ interface <dfn>MimeType</dfn> {
   data-x="dom-Plugin-description">description</code> attribute just return the same value as the
   <code data-x="dom-Plugin-name">name</code> attribute, and that the <code
   data-x="dom-Plugin-filename">filename</code> attribute return the empty string.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   <hr>
@@ -96448,7 +96366,7 @@ interface <dfn>MimeType</dfn> {
   data-x="dom-MimeType-description">description</code> attribute just return the same value as the
   <code data-x="dom-MimeType-type">type</code> attribute, and that the <code
   data-x="dom-MimeType-suffixes">suffixes</code> attribute return the empty string.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   <p class="note">Commas in the <code data-x="dom-MimeType-suffixes">suffixes</code> attribute are
@@ -96467,7 +96385,7 @@ interface <dfn>MimeType</dfn> {
   <p>The <dfn><code data-x="dom-navigator-javaEnabled">navigator.javaEnabled()</code></dfn> method
   must return true if the user agent supports a <span>plugin</span> that supports the <span>MIME
   type</span> "<code data-x="">application/x-java-vm</code>"; otherwise it must return false.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   </div>
@@ -99134,8 +99052,11 @@ dictionary <dfn>CloseEventInit</dfn> : <span>EventInit</span> {
   that allows documents to communicate with each other regardless of their source domain, in a way
   designed to not enable cross-site scripting attacks.</p>
 
-  <p class="note">This API <a href="#fingerprint-postMessage">has some privacy implications</a> that
-  might not be immediately obvious.</p>
+  <p class="note" id="fingerprint-postMessage">The <code
+  data-x="dom-window-postMessage">postMessage()</code> API can be used as a <span>tracking
+  vector</span>.
+  <!-- INSERT TRACKING -->
+  </p>
 
 
   <h4>Introduction</h4>
@@ -101911,7 +101832,8 @@ interface <dfn>SharedWorker</dfn> : <span>EventTarget</span> {
   data-x="dom-navigator-hardwareConcurrency">navigator.hardwareConcurrency</code></dfn> attribute's
   getter must return a number between 1 and the number of logical processors potentially available
   to the user agent. If this cannot be determined, the getter must return 1.
-  <!--INSERT FINGERPRINT--></p>
+  <!--INSERT TRACKING-->
+  </p>
 
   <p>User agents should err toward exposing the number of logical processors available, using lower
   values only in cases where there are user-agent specific limits in place (such as a limitation
@@ -102473,7 +102395,7 @@ interface <dfn>Storage</dfn> {
 
   <p>The <dfn><code data-x="dom-localStorage">localStorage</code></dfn> object provides a
   <code>Storage</code> object for an <span>origin</span>.
-  <!--INSERT FINGERPRINT-->
+  <!--INSERT TRACKING-->
   </p>
 
   <dl class="domintro">