Use Infra as infrastructure for tracking/fingerprinting marking

This depends on whatwg/wattsi#41, whatwg/infra#115 (which depends on speced/bikeshed#964), and whatwg/whatwg.org#64.
whatwg · Jan 15, 2020 · febea88 · febea88
1 parent 0b8e268
commit febea88
Showing 1 changed file with 45 additions and 123 deletions.
diff --git a/source b/source
@@ -785,94 +785,6 @@ interface <dfn data-x="">Example</dfn> {
 
 
 
- <h3 id="fingerprint">Privacy concerns</h3>
-
- <!-- NON-NORMATIVE SECTION -->
-
- <p>Some features of HTML trade user convenience for a measure of user privacy.</p>
-
- <p>In general, due to the Internet's architecture, a user can be distinguished from another by the
- user's IP address. IP addresses do not perfectly match to a user; as a user moves from device to
- device, or from network to network, their IP address will change; similarly, NAT routing, proxy
- servers, and shared computers enable packets that appear to all come from a single IP address to
- actually map to multiple users. Technologies such as onion routing can be used to further
- anonymize requests so that requests from a single user at one node on the Internet appear to come
- from many disparate parts of the network.</p>
-
- <p>However, the IP address used for a user's requests is not the only mechanism by which a user's
- requests could be related to each other. Cookies, for example, are designed specifically to enable
- this, and are the basis of most of the Web's session features that enable you to log into a site
- with which you have an account.</p>
-
- <p>There are other mechanisms that are more subtle. Certain characteristics of a user's system can
- be used to distinguish groups of users from each other; by collecting enough such information, an
- individual user's browser's "digital fingerprint" can be computed, which can be as good as, if not
- better than, an IP address in ascertaining which requests are from the same user.</p>
-
- <p>Grouping requests in this manner, especially across multiple sites, can be used for both benign
- (and even arguably positive) purposes, as well as for malevolent purposes. An example of a
- reasonably benign purpose would be determining whether a particular person seems to prefer sites
- with dog illustrations as opposed to sites with cat illustrations (based on how often they visit
- the sites in question) and then automatically using the preferred illustrations on subsequent
- visits to participating sites. Malevolent purposes, however, could include governments combining
- information such as the person's home address (determined from the addresses they use when getting
- driving directions on one site) with their apparent political affiliations (determined by
- examining the forum sites that they participate in) to determine whether the person should be
- prevented from voting in an election.</p>
-
- <p>Since the malevolent purposes can be remarkably evil, user agent implementers are encouraged to
- consider how to provide their users with tools to minimize leaking information that could be used
- to fingerprint a user.</p>
-
- <p>Unfortunately, as the first paragraph in this section implies, sometimes there is great benefit
- to be derived from exposing the very information that can also be used for fingerprinting
- purposes, so it's not as easy as simply blocking all possible leaks. For instance, the ability to
- log into a site to post under a specific identity requires that the user's requests be
- identifiable as all being from the same user, more or less by definition. More subtly, though,
- information such as how wide text is, which is necessary for many effects that involve drawing
- text onto a canvas (e.g. any effect that involves drawing a border around the text) also leaks
- information that can be used to group a user's requests. (In this case, by potentially exposing,
- via a brute force search, which fonts a user has installed, information which can vary
- considerably from user to user.)</p>
-
- <p w-nodev>Features in this specification which can be <dfn data-x="fingerprinting vector">used to
- fingerprint the user</dfn> are marked as this paragraph is.
- <!--INSERT FINGERPRINT-->
- </p>
-
- <p>Other features in the platform can be used for the same purpose, though, including, though not
- limited to:</p>
-
- <ul>
-
- <li>The exact list of which features a user agents supports.</li>
-
- <li>The maximum allowed stack depth for recursion in script.</li>
-
- <li>Features that describe the user's environment, like Media Queries and the <code>Screen</code>
- object. <ref spec=MQ> <ref spec=CSSOMVIEW></li>
-
- <li>The user's time zone.</li>
-
- </ul>
-
-
- <h4 id="fingerprint-postMessage">Cross-site communication</h4>
-
- <p>The <code data-x="dom-window-postMessage">postMessage()</code> API provides a mechanism by
- which two sites can communicate directly. At first glance, this might appear to open a new way by
- which the problems described above can occur. However, in practice, multiple mechanisms exist by
- which two sites can communicate that predate this API: a site embedding another can send data via
- an <code>iframe</code> element's dimensions; a site can use a cross-site image request with a
- unique identifier known to the server to initiate a server-side data exchange; or indeed the
- fingerprinting techniques described above can be used by two sites to uniquely identify a visitor
- such that information can then be exchanged on the server side.</p>
-
- <p>Fundamentally, users that do not trust a site to treat their information with respect have to
- avoid visiting that site at all.</p>
-
-
-
 
  <h3>A quick introduction to HTML</h3>
 
@@ -2174,7 +2086,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
  fingerprinting vector that increases the chances of users being uniquely identified, user agents
  are encouraged to support the exact same set of <span data-x="plugin">plugins</span> for each
  user.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  </div>
@@ -2436,7 +2348,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
  <p id="hardwareLimitations">User agents may impose implementation-specific limits on otherwise
  unconstrained inputs, e.g. to prevent denial of service attacks, to guard against running out of
  memory, or to work around platform-specific limitations.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  <p>For compatibility with existing content and prior specifications, this specification describes
@@ -2474,6 +2386,10 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
  <li>The general iteration terms <dfn data-x-href="https://infra.spec.whatwg.org/#iteration-while">while</dfn>,
  <dfn data-x-href="https://infra.spec.whatwg.org/#iteration-continue">continue</dfn>, and
  <dfn data-x-href="https://infra.spec.whatwg.org/#iteration-break">break</dfn>.</li>
+ <li id="fingerprint"><span id="fingerprinting-vector"></span><dfn
+ data-x-href="https://infra.spec.whatwg.org/#tracking-vector">tracking vector</dfn>
+ <!-- INSERT TRACKING -->
+ </li>
  <li><dfn data-x-href="https://infra.spec.whatwg.org/#code-point">code point</dfn> and its synonym
  <dfn data-x-href="https://infra.spec.whatwg.org/#code-point">character</dfn></li>
  <li><dfn data-x-href="https://infra.spec.whatwg.org/#surrogate">surrogate</dfn></li>
@@ -9469,7 +9385,9 @@ partial interface <dfn id="document" data-lt="">Document</dfn> {
  origin</span>, the user agent must throw a <span>"<code>SecurityError</code>"</span>
  <code>DOMException</code>. Otherwise, the user agent must return the <span>cookie-string</span>
  for the document's <span data-x="concept-document-url">URL</span> for a "non-HTTP" API, decoded
- using <span>UTF-8 decode without BOM</span>. <ref spec=COOKIES><!--INSERT FINGERPRINT--></p>
+ using <span>UTF-8 decode without BOM</span>. <ref spec=COOKIES>
+ <!--INSERT TRACKING-->
+ </p>
 
  <p>On setting, if the document is a <span>cookie-averse <code>Document</code> object</span>, then
  the user agent must do nothing. Otherwise, if the <code>Document</code>'s <span>origin</span> is
@@ -34757,7 +34675,7 @@ interface <dfn>MediaError</dfn> {
  <span>media resource</span>. In the even rarer case of a <span>media resource</span> with no
  explicit timings of any kind, not even frame durations, the user agent must itself determine the
  time for each frame in a user-agent-defined manner.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  <p class="note">An example of a file format with no explicit timeline but with explicit frame
@@ -48669,7 +48587,7 @@ ldh-str = &lt; as defined in <a href="https://tools.ietf.org/html/rfc1034#
  implementation-defined string that means "Submit" or some such.</span> The element is a <span
  data-x="concept-button">button</span>, specifically a <span data-x="concept-submit-button">submit
  button</span>.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  <p class="note">Since the default label is implementation-defined, and the width of the button
@@ -49042,7 +48960,7 @@ ldh-str = &lt; as defined in <a href="https://tools.ietf.org/html/rfc1034#
  attribute, the button's label must be the value of that attribute; otherwise, it must be an
  implementation-defined string that means "Reset" or some such.</span> The element is a <span
  data-x="concept-button">button</span>.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  <p class="note">Since the default label is implementation-defined, and the width of the button
@@ -64345,7 +64263,7 @@ try {
  the <code>CanvasText</code> interface, and then using the returned <span>inline box</span> must
  return a new <code>TextMetrics</code> object with members behaving as described in the following
  list: <ref spec=CSS>
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  </div>
@@ -75869,7 +75787,7 @@ addShortcutKeyLabel(document.getElementById('c'));</code></pre>
  key that corresponds to the value given in the attribute, can be used as the access key, then
  the user agent may assign that combination of keys as the element's <span>assigned access
  key</span> and return.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p></li>
 
  </ol>
@@ -88884,7 +88802,7 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
  <li>The user has not disabled scripting for this <span>browsing context</span> at this time.
  (User agents may provide users with the option to disable scripting globally, or in a
  finer-grained manner, e.g. on a per-origin basis.)
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </li>
 
  <li id="sandboxScriptBlocked">The <span>browsing context</span>'s <span>active document</span>'s
@@ -91671,7 +91589,7 @@ import "https://example.com/foo/../module2.mjs";</code></pre>
 
  <li><p>Let <var>message</var> be a user-agent-defined string describing the error in a
  helpful manner.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p></li>
 
  <li><p>Let <var>errorValue</var> be the value that represents the error: in the case of an
@@ -95585,7 +95503,7 @@ interface <dfn>Navigator</dfn> {
  profile the user. In fact, if enough such information is available, a user can actually be
  uniquely identified. For this reason, user agent implementers are strongly urged to include as
  little information in this API as possible.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  </div>
@@ -95666,7 +95584,7 @@ interface <dfn>Navigator</dfn> {
 
  <li>Any information in this API that varies from user to user can be used to profile or identify
  the user.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </li>
 
  <li>If the user is not using a service that obfuscates the user's point of origin (e.g. the Tor
@@ -95683,7 +95601,7 @@ interface <dfn>Navigator</dfn> {
  <p>To avoid introducing any more fingerprinting vectors, user agents should use the same list for
  the APIs defined in this function as for the HTTP `<code
  data-x="http-accept-language">Accept-Language</code>` header.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  </div>
@@ -96216,13 +96134,13 @@ interface <dfn>MimeType</dfn> {
  <p>The <span>supported property indices</span> of a <code>PluginArray</code> object are the
  numbers from zero to the number of non-<span data-x="hidden plugin">hidden</span> <span
  data-x="plugin">plugins</span> represented by the object, if any.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  <p>The <dfn><code data-x="dom-PluginArray-length">length</code></dfn> attribute must return the
  number of non-<span data-x="hidden plugin">hidden</span> <span data-x="plugin">plugins</span>
  represented by the object.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  <p>The <dfn><code data-x="dom-PluginArray-item">item()</code></dfn> method of a
@@ -96243,14 +96161,14 @@ interface <dfn>MimeType</dfn> {
 
  </ol>
 
- <p class="note">It is important <span class="no-backref" data-x="fingerprinting vector">for
- privacy</span> that the order of plugins not leak additional information, e.g. the order in which
+ <p class="note">It is important <span class="no-backref" data-x="tracking vector">for
+ privacy</span> that the order of plugins not leak additional information, e.g., the order in which
  plugins were installed.</p>
 
  <p>The <span>supported property names</span> of a <code>PluginArray</code> object are the values
  of the <code data-x="dom-Plugin-name">name</code> attributes of all the <code
  data-x="dom-Plugin">Plugin</code> objects represented by the <code>PluginArray</code> object.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  <p>The <dfn><code data-x="dom-PluginArray-namedItem">namedItem()</code></dfn> method of a
@@ -96295,14 +96213,14 @@ interface <dfn>MimeType</dfn> {
  supported</span> by non-<span data-x="hidden plugin">hidden</span> <span
  data-x="plugin">plugins</span> represented by the corresponding <code>PluginArray</code> object, if
  any.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  <p>The <dfn><code data-x="dom-MimeTypeArray-length">length</code></dfn> attribute must return the
  number of <span data-x="MIME type">MIME types</span> <span>explicitly supported</span> by non-<span
  data-x="hidden plugin">hidden</span> <span data-x="plugin">plugins</span> represented by the
  corresponding <code>PluginArray</code> object, if any.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  <p>The <dfn><code data-x="dom-MimeTypeArray-item">item()</code></dfn> method of a
@@ -96324,14 +96242,14 @@ interface <dfn>MimeType</dfn> {
 
  </ol>
 
- <p class="note">It is important <span class="no-backref" data-x="fingerprinting vector">for
- privacy</span> that the order of MIME types not leak additional information, e.g. the order in
+ <p class="note">It is important <span class="no-backref" data-x="tracking vector">for
+ privacy</span> that the order of MIME types not leak additional information, e.g., the order in
  which plugins were installed.</p>
 
  <p>The <span>supported property names</span> of a <code>MimeTypeArray</code> object are the values
  of the <code data-x="dom-MimeType-type">type</code> attributes of all the <code>MimeType</code>
  objects represented by the <code>MimeTypeArray</code> object.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  <p>The <dfn><code data-x="dom-MimeTypeArray-namedItem">namedItem()</code></dfn> method of a
@@ -96360,12 +96278,12 @@ interface <dfn>MimeType</dfn> {
 
  <p>The <span>supported property indices</span> of a <code data-x="dom-Plugin">Plugin</code> object
  are the numbers from zero to the number of <span>reported MIME types</span>.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  <p>The <dfn><code data-x="dom-Plugin-length">length</code></dfn> attribute must return the number
  of <span>reported MIME types</span>.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  <p>The <dfn><code data-x="dom-Plugin-item">item()</code></dfn> method of a <code
@@ -96385,14 +96303,14 @@ interface <dfn>MimeType</dfn> {
 
  </ol>
 
- <p class="note">It is important <span class="no-backref" data-x="fingerprinting vector">for
- privacy</span> that the order of MIME types not leak additional information, e.g. the order in
+ <p class="note">It is important <span class="no-backref" data-x="tracking vector">for
+ privacy</span> that the order of MIME types not leak additional information, e.g., the order in
  which plugins were installed.</p>
 
  <p>The <span>supported property names</span> of a <code data-x="dom-Plugin">Plugin</code> object
  are the values of the <code data-x="dom-MimeType-type">type</code> attributes of the
  <code>MimeType</code> objects representing the <span>reported MIME types</span>.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  <p>The <dfn><code data-x="dom-Plugin-namedItem">namedItem()</code></dfn> method of a <code
@@ -96418,7 +96336,7 @@ interface <dfn>MimeType</dfn> {
  data-x="dom-Plugin-description">description</code> attribute just return the same value as the
  <code data-x="dom-Plugin-name">name</code> attribute, and that the <code
  data-x="dom-Plugin-filename">filename</code> attribute return the empty string.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  <hr>
@@ -96448,7 +96366,7 @@ interface <dfn>MimeType</dfn> {
  data-x="dom-MimeType-description">description</code> attribute just return the same value as the
  <code data-x="dom-MimeType-type">type</code> attribute, and that the <code
  data-x="dom-MimeType-suffixes">suffixes</code> attribute return the empty string.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  <p class="note">Commas in the <code data-x="dom-MimeType-suffixes">suffixes</code> attribute are
@@ -96467,7 +96385,7 @@ interface <dfn>MimeType</dfn> {
  <p>The <dfn><code data-x="dom-navigator-javaEnabled">navigator.javaEnabled()</code></dfn> method
  must return true if the user agent supports a <span>plugin</span> that supports the <span>MIME
  type</span> "<code data-x="">application/x-java-vm</code>"; otherwise it must return false.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  </div>
@@ -99134,8 +99052,11 @@ dictionary <dfn>CloseEventInit</dfn> : <span>EventInit</span> {
  that allows documents to communicate with each other regardless of their source domain, in a way
  designed to not enable cross-site scripting attacks.</p>
 
- <p class="note">This API <a href="#fingerprint-postMessage">has some privacy implications</a> that
- might not be immediately obvious.</p>
+ <p class="note" id="fingerprint-postMessage">The <code
+ data-x="dom-window-postMessage">postMessage()</code> API can be used as a <span>tracking
+ vector</span>.
+ <!-- INSERT TRACKING -->
+ </p>
 
 
  <h4>Introduction</h4>
@@ -101911,7 +101832,8 @@ interface <dfn>SharedWorker</dfn> : <span>EventTarget</span> {
  data-x="dom-navigator-hardwareConcurrency">navigator.hardwareConcurrency</code></dfn> attribute's
  getter must return a number between 1 and the number of logical processors potentially available
  to the user agent. If this cannot be determined, the getter must return 1.
- <!--INSERT FINGERPRINT--></p>
+ <!--INSERT TRACKING-->
+ </p>
 
  <p>User agents should err toward exposing the number of logical processors available, using lower
  values only in cases where there are user-agent specific limits in place (such as a limitation
@@ -102473,7 +102395,7 @@ interface <dfn>Storage</dfn> {
 
  <p>The <dfn><code data-x="dom-localStorage">localStorage</code></dfn> object provides a
  <code>Storage</code> object for an <span>origin</span>.
- <!--INSERT FINGERPRINT-->
+ <!--INSERT TRACKING-->
  </p>
 
  <dl class="domintro">