-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sticky opt-in mechanism can be misused as super cookie #242
Comments
Note that there was an Accept-CH-Lifetime header at one point in the CH spec that let origins to specify the persistence of hints but this was dropped in mid 2019. |
This is an issue with the HTTP Client Hints more than this definition of particular hints; this is defined in RFC 8942.
The relevant section of the spec:
Emphasis my own. The current implementation in chrome clears the preferences on browser restart and if origin-specific information is cleared (e.g. cookies, storage, cache). |
https://wicg.github.io/client-hints-infrastructure/#accept-ch-cache-definition also states:
@johnwilander wrote:
Thanks for the feedback - we could do a better job of connecting the dots between RFC8942 and Client Hints Infra in the UA-CH spec (and linking to those from the explainer). |
That sounds to me like a per-session super cookie since there is no partitioning. Would you agree? If so, any site the user has a logged in first-party relationship with can set the same super cookie for every browsing session and persistently track the user across websites. |
The Accept-CH cache only applies to top-level navigations, so it's effectively partitioned by top-level origin anyway. But we could require partitioning to be consistent with the rest of the platform that's moving in that direction. I'll file a bug on the right repo. |
Let's close here and continue the conversation in WICG/client-hints-infrastructure#75 |
From the explainer:
The proposal lists three response headers as the default and seven response headers in total. That looks like four-bit persistent storage. For how long will "subsequent requests" adhere to the opt-in headers the server has sent? Is it per-page, per tab, ephemeral per browsing session, or persistent?
Is the opt-in state partitioned per top site? If not, eight auxiliary domains can form a 4*8=32-bit identifier.
I searched the explainer for some keywords like "sticky," "persistent," "scope," "partition," and "session," but couldn't find this issue addressed. I also did some casual searches for existing issues but didn't find any.
The text was updated successfully, but these errors were encountered: