Some features of HTML trade user convenience for a measure of user privacy.
- -In general, due to the Internet's architecture, a user can be distinguished from another by the - user's IP address. IP addresses do not perfectly match to a user; as a user moves from device to - device, or from network to network, their IP address will change; similarly, NAT routing, proxy - servers, and shared computers enable packets that appear to all come from a single IP address to - actually map to multiple users. Technologies such as onion routing can be used to further - anonymize requests so that requests from a single user at one node on the Internet appear to come - from many disparate parts of the network.
- -However, the IP address used for a user's requests is not the only mechanism by which a user's - requests could be related to each other. Cookies, for example, are designed specifically to enable - this, and are the basis of most of the Web's session features that enable you to log into a site - with which you have an account.
- -There are other mechanisms that are more subtle. Certain characteristics of a user's system can - be used to distinguish groups of users from each other; by collecting enough such information, an - individual user's browser's "digital fingerprint" can be computed, which can be as good as, if not - better than, an IP address in ascertaining which requests are from the same user.
- -Grouping requests in this manner, especially across multiple sites, can be used for both benign - (and even arguably positive) purposes, as well as for malevolent purposes. An example of a - reasonably benign purpose would be determining whether a particular person seems to prefer sites - with dog illustrations as opposed to sites with cat illustrations (based on how often they visit - the sites in question) and then automatically using the preferred illustrations on subsequent - visits to participating sites. Malevolent purposes, however, could include governments combining - information such as the person's home address (determined from the addresses they use when getting - driving directions on one site) with their apparent political affiliations (determined by - examining the forum sites that they participate in) to determine whether the person should be - prevented from voting in an election.
- -Since the malevolent purposes can be remarkably evil, user agent implementers are encouraged to - consider how to provide their users with tools to minimize leaking information that could be used - to fingerprint a user.
- -Unfortunately, as the first paragraph in this section implies, sometimes there is great benefit - to be derived from exposing the very information that can also be used for fingerprinting - purposes, so it's not as easy as simply blocking all possible leaks. For instance, the ability to - log into a site to post under a specific identity requires that the user's requests be - identifiable as all being from the same user, more or less by definition. More subtly, though, - information such as how wide text is, which is necessary for many effects that involve drawing - text onto a canvas (e.g. any effect that involves drawing a border around the text) also leaks - information that can be used to group a user's requests. (In this case, by potentially exposing, - via a brute force search, which fonts a user has installed, information which can vary - considerably from user to user.)
- -Features in this specification which can be used to - fingerprint the user are marked as this paragraph is. - -
- -Other features in the platform can be used for the same purpose, though, including, though not - limited to:
- -Screen
- object. The postMessage() API provides a mechanism by
- which two sites can communicate directly. At first glance, this might appear to open a new way by
- which the problems described above can occur. However, in practice, multiple mechanisms exist by
- which two sites can communicate that predate this API: a site embedding another can send data via
- an iframe element's dimensions; a site can use a cross-site image request with a
- unique identifier known to the server to initiate a server-side data exchange; or indeed the
- fingerprinting techniques described above can be used by two sites to uniquely identify a visitor
- such that information can then be exchanged on the server side.
Fundamentally, users that do not trust a site to treat their information with respect have to - avoid visiting that site at all.
- - -User agents may impose implementation-specific limits on otherwise unconstrained inputs, e.g. to prevent denial of service attacks, to guard against running out of memory, or to work around platform-specific limitations. - +
For compatibility with existing content and prior specifications, this specification describes @@ -2472,6 +2384,10 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
SecurityError"
DOMException. Otherwise, the user agent must return the cookie-string
for the document's URL for a "non-HTTP" API, decoded
- using UTF-8 decode without BOM.
+ using UTF-8 decode without BOM.
+
+
On setting, if the document is a cookie-averse Document object, then
the user agent must do nothing. Otherwise, if the Document's origin is
@@ -34415,7 +34333,7 @@ interface MediaError {
media resource. In the even rarer case of a media resource with no
explicit timings of any kind, not even frame durations, the user agent must itself determine the
time for each frame in a user-agent-defined manner.
-
+
An example of a file format with no explicit timeline but with explicit frame @@ -48164,7 +48082,7 @@ ldh-str = < as defined in The element is a button, specifically a submit button. - +
Since the default label is implementation-defined, and the width of the button @@ -48537,7 +48455,7 @@ ldh-str = < as defined in The element is a button. - +
Since the default label is implementation-defined, and the width of the button
@@ -63768,7 +63686,7 @@ try {
the CanvasText interface, and then using the returned inline box must
return a new TextMetrics object with members behaving as described in the following
list:
-
+
Let message be a user-agent-defined string describing the error in a helpful manner. - +
Let errorValue be the value that represents the error: in the case of an @@ -94863,7 +94781,7 @@ interface Navigator { profile the user. In fact, if enough such information is available, a user can actually be uniquely identified. For this reason, user agent implementers are strongly urged to include as little information in this API as possible. - +
@@ -94944,7 +94862,7 @@ interface Navigator {To avoid introducing any more fingerprinting vectors, user agents should use the same list for
the APIs defined in this function as for the HTTP `Accept-Language` header.
-
+
The supported property indices of a PluginArray object are the
numbers from zero to the number of non-hidden plugins represented by the object, if any.
-
+
The length attribute must return the
number of non-hidden plugins
represented by the object.
-
+
The item() method of a
@@ -95535,14 +95453,14 @@ interface MimeType {
-
It is important for - privacy that the order of plugins not leak additional information, e.g. the order in which +
It is important for + privacy that the order of plugins not leak additional information, e.g., the order in which plugins were installed.
The supported property names of a PluginArray object are the values
of the name attributes of all the Plugin objects represented by the PluginArray object.
-
+
The namedItem() method of a
@@ -95587,14 +95505,14 @@ interface MimeType {
supported by non-hidden plugins represented by the corresponding PluginArray object, if
any.
-
+
The length attribute must return the
number of MIME types explicitly supported by non-hidden plugins represented by the
corresponding PluginArray object, if any.
-
+
The item() method of a
@@ -95616,14 +95534,14 @@ interface MimeType {
-
It is important for - privacy that the order of MIME types not leak additional information, e.g. the order in +
It is important for + privacy that the order of MIME types not leak additional information, e.g., the order in which plugins were installed.
The supported property names of a MimeTypeArray object are the values
of the type attributes of all the MimeType
objects represented by the MimeTypeArray object.
-
+
The namedItem() method of a
@@ -95652,12 +95570,12 @@ interface MimeType {
The supported property indices of a Plugin object
are the numbers from zero to the number of reported MIME types.
-
+
The length attribute must return the number
of reported MIME types.
-
+
The It is important for
- privacy that the order of MIME types not leak additional information, e.g. the order in
+ It is important for
+ privacy that the order of MIME types not leak additional information, e.g., the order in
which plugins were installed. The supported property names of a The item() method of a MimeType {
- attribute just return the same value as the
Plugin object
are the values of the type attributes of the
MimeType objects representing the reported MIME types.
-
+
namedItem() method of a MimeType {
data-x="dom-Plugin-description">description attribute just return the same value as the
name attribute, and that the filename attribute return the empty string.
-
+
@@ -95740,7 +95658,7 @@ interface MimeType {
data-x="dom-MimeType-description">descriptiontype attribute, and that the suffixes attribute return the empty string.
-
+
Commas in the suffixes attribute are
@@ -95759,7 +95677,7 @@ interface MimeType {
The navigator.javaEnabled() method
must return true if the user agent supports a plugin that supports the MIME
type "application/x-java-vm"; otherwise it must return false.
-
+
This API has some privacy implications that - might not be immediately obvious.
+The postMessage() API can be used as a tracking
+ vector.
+
+
User agents should err toward exposing the number of logical processors available, using lower values only in cases where there are user-agent specific limits in place (such as a limitation @@ -101782,7 +101704,7 @@ interface Storage {
The localStorage object provides a
Storage object for an origin.
-
+