Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use Infra as infrastructure for tracking/fingerprinting marking #3

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
168 changes: 45 additions & 123 deletions source
Original file line number Diff line number Diff line change
Expand Up @@ -783,94 +783,6 @@ interface <dfn data-x="">Example</dfn> {



<h3 id="fingerprint">Privacy concerns</h3>

<!-- NON-NORMATIVE SECTION -->

<p>Some features of HTML trade user convenience for a measure of user privacy.</p>

<p>In general, due to the Internet's architecture, a user can be distinguished from another by the
user's IP address. IP addresses do not perfectly match to a user; as a user moves from device to
device, or from network to network, their IP address will change; similarly, NAT routing, proxy
servers, and shared computers enable packets that appear to all come from a single IP address to
actually map to multiple users. Technologies such as onion routing can be used to further
anonymize requests so that requests from a single user at one node on the Internet appear to come
from many disparate parts of the network.</p>

<p>However, the IP address used for a user's requests is not the only mechanism by which a user's
requests could be related to each other. Cookies, for example, are designed specifically to enable
this, and are the basis of most of the Web's session features that enable you to log into a site
with which you have an account.</p>

<p>There are other mechanisms that are more subtle. Certain characteristics of a user's system can
be used to distinguish groups of users from each other; by collecting enough such information, an
individual user's browser's "digital fingerprint" can be computed, which can be as good as, if not
better than, an IP address in ascertaining which requests are from the same user.</p>

<p>Grouping requests in this manner, especially across multiple sites, can be used for both benign
(and even arguably positive) purposes, as well as for malevolent purposes. An example of a
reasonably benign purpose would be determining whether a particular person seems to prefer sites
with dog illustrations as opposed to sites with cat illustrations (based on how often they visit
the sites in question) and then automatically using the preferred illustrations on subsequent
visits to participating sites. Malevolent purposes, however, could include governments combining
information such as the person's home address (determined from the addresses they use when getting
driving directions on one site) with their apparent political affiliations (determined by
examining the forum sites that they participate in) to determine whether the person should be
prevented from voting in an election.</p>

<p>Since the malevolent purposes can be remarkably evil, user agent implementers are encouraged to
consider how to provide their users with tools to minimize leaking information that could be used
to fingerprint a user.</p>

<p>Unfortunately, as the first paragraph in this section implies, sometimes there is great benefit
to be derived from exposing the very information that can also be used for fingerprinting
purposes, so it's not as easy as simply blocking all possible leaks. For instance, the ability to
log into a site to post under a specific identity requires that the user's requests be
identifiable as all being from the same user, more or less by definition. More subtly, though,
information such as how wide text is, which is necessary for many effects that involve drawing
text onto a canvas (e.g. any effect that involves drawing a border around the text) also leaks
information that can be used to group a user's requests. (In this case, by potentially exposing,
via a brute force search, which fonts a user has installed, information which can vary
considerably from user to user.)</p>

<p w-nodev>Features in this specification which can be <dfn data-x="fingerprinting vector">used to
fingerprint the user</dfn> are marked as this paragraph is.
<!--INSERT FINGERPRINT-->
</p>

<p>Other features in the platform can be used for the same purpose, though, including, though not
limited to:</p>

<ul>

<li>The exact list of which features a user agents supports.</li>

<li>The maximum allowed stack depth for recursion in script.</li>

<li>Features that describe the user's environment, like Media Queries and the <code>Screen</code>
object. <ref spec=MQ> <ref spec=CSSOMVIEW></li>

<li>The user's time zone.</li>

</ul>


<h4 id="fingerprint-postMessage">Cross-site communication</h4>

<p>The <code data-x="dom-window-postMessage">postMessage()</code> API provides a mechanism by
which two sites can communicate directly. At first glance, this might appear to open a new way by
which the problems described above can occur. However, in practice, multiple mechanisms exist by
which two sites can communicate that predate this API: a site embedding another can send data via
an <code>iframe</code> element's dimensions; a site can use a cross-site image request with a
unique identifier known to the server to initiate a server-side data exchange; or indeed the
fingerprinting techniques described above can be used by two sites to uniquely identify a visitor
such that information can then be exchanged on the server side.</p>

<p>Fundamentally, users that do not trust a site to treat their information with respect have to
avoid visiting that site at all.</p>




<h3>A quick introduction to HTML</h3>

Expand Down Expand Up @@ -2172,7 +2084,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
fingerprinting vector that increases the chances of users being uniquely identified, user agents
are encouraged to support the exact same set of <span data-x="plugin">plugins</span> for each
user.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

</div>
Expand Down Expand Up @@ -2434,7 +2346,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
<p id="hardwareLimitations">User agents may impose implementation-specific limits on otherwise
unconstrained inputs, e.g. to prevent denial of service attacks, to guard against running out of
memory, or to work around platform-specific limitations.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

<p>For compatibility with existing content and prior specifications, this specification describes
Expand Down Expand Up @@ -2472,6 +2384,10 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
<li>The general iteration terms <dfn data-x-href="https://infra.spec.whatwg.org/#iteration-while">while</dfn>,
<dfn data-x-href="https://infra.spec.whatwg.org/#iteration-continue">continue</dfn>, and
<dfn data-x-href="https://infra.spec.whatwg.org/#iteration-break">break</dfn>.</li>
<li id="fingerprint"><span id="fingerprinting-vector"></span><dfn
data-x-href="https://infra.spec.whatwg.org/#tracking-vector">tracking vector</dfn>
<!-- INSERT TRACKING -->
</li>
<li><dfn data-x-href="https://infra.spec.whatwg.org/#code-point">code point</dfn> and its synonym
<dfn data-x-href="https://infra.spec.whatwg.org/#code-point">character</dfn></li>
<li><dfn data-x-href="https://infra.spec.whatwg.org/#surrogate">surrogate</dfn></li>
Expand Down Expand Up @@ -9471,7 +9387,9 @@ partial interface <dfn id="document" data-lt="">Document</dfn> {
origin</span>, the user agent must throw a <span>"<code>SecurityError</code>"</span>
<code>DOMException</code>. Otherwise, the user agent must return the <span>cookie-string</span>
for the document's <span data-x="concept-document-url">URL</span> for a "non-HTTP" API, decoded
using <span>UTF-8 decode without BOM</span>. <ref spec=COOKIES><!--INSERT FINGERPRINT--></p>
using <span>UTF-8 decode without BOM</span>. <ref spec=COOKIES>
<!--INSERT TRACKING-->
</p>

<p>On setting, if the document is a <span>cookie-averse <code>Document</code> object</span>, then
the user agent must do nothing. Otherwise, if the <code>Document</code>'s <span>origin</span> is
Expand Down Expand Up @@ -34415,7 +34333,7 @@ interface <dfn>MediaError</dfn> {
<span>media resource</span>. In the even rarer case of a <span>media resource</span> with no
explicit timings of any kind, not even frame durations, the user agent must itself determine the
time for each frame in a user-agent-defined manner.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

<p class="note">An example of a file format with no explicit timeline but with explicit frame
Expand Down Expand Up @@ -48164,7 +48082,7 @@ ldh-str = &lt; as defined in <a href="https://tools.ietf.org/html/rfc1034#
implementation-defined string that means "Submit" or some such.</span> The element is a <span
data-x="concept-button">button</span>, specifically a <span data-x="concept-submit-button">submit
button</span>.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

<p class="note">Since the default label is implementation-defined, and the width of the button
Expand Down Expand Up @@ -48537,7 +48455,7 @@ ldh-str = &lt; as defined in <a href="https://tools.ietf.org/html/rfc1034#
attribute, the button's label must be the value of that attribute; otherwise, it must be an
implementation-defined string that means "Reset" or some such.</span> The element is a <span
data-x="concept-button">button</span>.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

<p class="note">Since the default label is implementation-defined, and the width of the button
Expand Down Expand Up @@ -63768,7 +63686,7 @@ try {
the <code>CanvasText</code> interface, and then using the returned <span>inline box</span> must
return a new <code>TextMetrics</code> object with members behaving as described in the following
list: <ref spec=CSS>
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

</div>
Expand Down Expand Up @@ -75138,7 +75056,7 @@ addShortcutKeyLabel(document.getElementById('c'));</code></pre>
key that corresponds to the value given in the attribute, can be used as the access key, then
the user agent may assign that combination of keys as the element's <span>assigned access
key</span> and return.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p></li>

</ol>
Expand Down Expand Up @@ -88047,7 +87965,7 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
<li>The user has not disabled scripting for this <span>browsing context</span> at this time.
(User agents may provide users with the option to disable scripting globally, or in a
finer-grained manner, e.g. on a per-origin basis.)
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</li>

<li id="sandboxScriptBlocked">The <span>browsing context</span>'s <span>active document</span>'s
Expand Down Expand Up @@ -90969,7 +90887,7 @@ import "https://example.com/foo/../module2.mjs";</code></pre>

<li><p>Let <var>message</var> be a user-agent-defined string describing the error in a
helpful manner.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p></li>

<li><p>Let <var>errorValue</var> be the value that represents the error: in the case of an
Expand Down Expand Up @@ -94863,7 +94781,7 @@ interface <dfn>Navigator</dfn> {
profile the user. In fact, if enough such information is available, a user can actually be
uniquely identified. For this reason, user agent implementers are strongly urged to include as
little information in this API as possible.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

</div>
Expand Down Expand Up @@ -94944,7 +94862,7 @@ interface <dfn>Navigator</dfn> {

<li>Any information in this API that varies from user to user can be used to profile or identify
the user.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</li>

<li>If the user is not using a service that obfuscates the user's point of origin (e.g. the Tor
Expand All @@ -94961,7 +94879,7 @@ interface <dfn>Navigator</dfn> {
<p>To avoid introducing any more fingerprinting vectors, user agents should use the same list for
the APIs defined in this function as for the HTTP `<code
data-x="http-accept-language">Accept-Language</code>` header.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

</div>
Expand Down Expand Up @@ -95508,13 +95426,13 @@ interface <dfn>MimeType</dfn> {
<p>The <span>supported property indices</span> of a <code>PluginArray</code> object are the
numbers from zero to the number of non-<span data-x="hidden plugin">hidden</span> <span
data-x="plugin">plugins</span> represented by the object, if any.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

<p>The <dfn><code data-x="dom-PluginArray-length">length</code></dfn> attribute must return the
number of non-<span data-x="hidden plugin">hidden</span> <span data-x="plugin">plugins</span>
represented by the object.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

<p>The <dfn><code data-x="dom-PluginArray-item">item()</code></dfn> method of a
Expand All @@ -95535,14 +95453,14 @@ interface <dfn>MimeType</dfn> {

</ol>

<p class="note">It is important <span class="no-backref" data-x="fingerprinting vector">for
privacy</span> that the order of plugins not leak additional information, e.g. the order in which
<p class="note">It is important <span class="no-backref" data-x="tracking vector">for
privacy</span> that the order of plugins not leak additional information, e.g., the order in which
plugins were installed.</p>

<p>The <span>supported property names</span> of a <code>PluginArray</code> object are the values
of the <code data-x="dom-Plugin-name">name</code> attributes of all the <code
data-x="dom-Plugin">Plugin</code> objects represented by the <code>PluginArray</code> object.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

<p>The <dfn><code data-x="dom-PluginArray-namedItem">namedItem()</code></dfn> method of a
Expand Down Expand Up @@ -95587,14 +95505,14 @@ interface <dfn>MimeType</dfn> {
supported</span> by non-<span data-x="hidden plugin">hidden</span> <span
data-x="plugin">plugins</span> represented by the corresponding <code>PluginArray</code> object, if
any.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

<p>The <dfn><code data-x="dom-MimeTypeArray-length">length</code></dfn> attribute must return the
number of <span data-x="MIME type">MIME types</span> <span>explicitly supported</span> by non-<span
data-x="hidden plugin">hidden</span> <span data-x="plugin">plugins</span> represented by the
corresponding <code>PluginArray</code> object, if any.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

<p>The <dfn><code data-x="dom-MimeTypeArray-item">item()</code></dfn> method of a
Expand All @@ -95616,14 +95534,14 @@ interface <dfn>MimeType</dfn> {

</ol>

<p class="note">It is important <span class="no-backref" data-x="fingerprinting vector">for
privacy</span> that the order of MIME types not leak additional information, e.g. the order in
<p class="note">It is important <span class="no-backref" data-x="tracking vector">for
privacy</span> that the order of MIME types not leak additional information, e.g., the order in
which plugins were installed.</p>

<p>The <span>supported property names</span> of a <code>MimeTypeArray</code> object are the values
of the <code data-x="dom-MimeType-type">type</code> attributes of all the <code>MimeType</code>
objects represented by the <code>MimeTypeArray</code> object.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

<p>The <dfn><code data-x="dom-MimeTypeArray-namedItem">namedItem()</code></dfn> method of a
Expand Down Expand Up @@ -95652,12 +95570,12 @@ interface <dfn>MimeType</dfn> {

<p>The <span>supported property indices</span> of a <code data-x="dom-Plugin">Plugin</code> object
are the numbers from zero to the number of <span>reported MIME types</span>.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

<p>The <dfn><code data-x="dom-Plugin-length">length</code></dfn> attribute must return the number
of <span>reported MIME types</span>.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

<p>The <dfn><code data-x="dom-Plugin-item">item()</code></dfn> method of a <code
Expand All @@ -95677,14 +95595,14 @@ interface <dfn>MimeType</dfn> {

</ol>

<p class="note">It is important <span class="no-backref" data-x="fingerprinting vector">for
privacy</span> that the order of MIME types not leak additional information, e.g. the order in
<p class="note">It is important <span class="no-backref" data-x="tracking vector">for
privacy</span> that the order of MIME types not leak additional information, e.g., the order in
which plugins were installed.</p>

<p>The <span>supported property names</span> of a <code data-x="dom-Plugin">Plugin</code> object
are the values of the <code data-x="dom-MimeType-type">type</code> attributes of the
<code>MimeType</code> objects representing the <span>reported MIME types</span>.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

<p>The <dfn><code data-x="dom-Plugin-namedItem">namedItem()</code></dfn> method of a <code
Expand All @@ -95710,7 +95628,7 @@ interface <dfn>MimeType</dfn> {
data-x="dom-Plugin-description">description</code> attribute just return the same value as the
<code data-x="dom-Plugin-name">name</code> attribute, and that the <code
data-x="dom-Plugin-filename">filename</code> attribute return the empty string.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

<hr>
Expand Down Expand Up @@ -95740,7 +95658,7 @@ interface <dfn>MimeType</dfn> {
data-x="dom-MimeType-description">description</code> attribute just return the same value as the
<code data-x="dom-MimeType-type">type</code> attribute, and that the <code
data-x="dom-MimeType-suffixes">suffixes</code> attribute return the empty string.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

<p class="note">Commas in the <code data-x="dom-MimeType-suffixes">suffixes</code> attribute are
Expand All @@ -95759,7 +95677,7 @@ interface <dfn>MimeType</dfn> {
<p>The <dfn><code data-x="dom-navigator-javaEnabled">navigator.javaEnabled()</code></dfn> method
must return true if the user agent supports a <span>plugin</span> that supports the <span>MIME
type</span> "<code data-x="">application/x-java-vm</code>"; otherwise it must return false.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

</div>
Expand Down Expand Up @@ -98433,8 +98351,11 @@ dictionary <dfn>CloseEventInit</dfn> : <span>EventInit</span> {
that allows documents to communicate with each other regardless of their source domain, in a way
designed to not enable cross-site scripting attacks.</p>

<p class="note">This API <a href="#fingerprint-postMessage">has some privacy implications</a> that
might not be immediately obvious.</p>
<p class="note" id="fingerprint-postMessage">The <code
data-x="dom-window-postMessage">postMessage()</code> API can be used as a <span>tracking
vector</span>.
<!-- INSERT TRACKING -->
</p>

<div w-nodev>

Expand Down Expand Up @@ -101220,7 +101141,8 @@ interface <dfn>SharedWorker</dfn> : <span>EventTarget</span> {
data-x="dom-navigator-hardwareConcurrency">navigator.hardwareConcurrency</code></dfn> attribute's
getter must return a number between 1 and the number of logical processors potentially available
to the user agent. If this cannot be determined, the getter must return 1.
<!--INSERT FINGERPRINT--></p>
<!--INSERT TRACKING-->
</p>

<p>User agents should err toward exposing the number of logical processors available, using lower
values only in cases where there are user-agent specific limits in place (such as a limitation
Expand Down Expand Up @@ -101782,7 +101704,7 @@ interface <dfn>Storage</dfn> {

<p>The <dfn><code data-x="dom-localStorage">localStorage</code></dfn> object provides a
<code>Storage</code> object for an <span>origin</span>.
<!--INSERT FINGERPRINT-->
<!--INSERT TRACKING-->
</p>

<dl class="domintro">
Expand Down