-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide guidelines or heuristics to prevent fingerprinting in case permission is denied #361
Comments
How do you envision this set of denied permissions being used to discover that 2 visits on different top-level sites come from the same person? |
I think denied state should always ge exposed by default. |
One possibility is for the two web sites to go to the same origin C and then navigate to the actual page (say when both pages are in the background).
Can you detail potential downsides? |
https://w3c.github.io/permissions/#privacy-considerations discusses privacy concerns.
One case that is of concern is if the user is not trusting the website and is permanently denying the permission.
This could be used as a permanent fingerprint that is more difficult to clean up than other website data like cookies.
One potential countermeasure is that Permissions API would only expose the denied state after the web site actually tries to call the API requesting access.
For instance, a web page is loaded on a site where camera is denied permanently:
Thoughts?
The text was updated successfully, but these errors were encountered: