Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Privacy] Clarify steps to generate callbackId #81

Closed
markafoltz opened this issue May 4, 2017 · 6 comments
Closed

[Privacy] Clarify steps to generate callbackId #81

markafoltz opened this issue May 4, 2017 · 6 comments
Labels
privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response.

Comments

@markafoltz
Copy link
Contributor

markafoltz commented May 4, 2017
edited
Loading

https://lists.w3.org/Archives/Public/public-privacy/2017JanMar/0009.html

  1. It is unclear if the callbackId is derived from a unique identifier on the Callback device (e.g. a hash value of a MAC address). Is there any reason why this could not be generated for each session by the UA? It would still be unique across all callback devices on the network but different devices on the same network could have a different set of unique devices and thus reducing the potential for device fingerprinting.

I think the spec is clear that it's unique to the media element. Should an algorithm be defined to generate it?
@markafoltz markafoltz added the privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response. label May 4, 2017
@avayvod
Copy link
Contributor

avayvod commented May 4, 2017

I'm not even sure what a "callback device" is in the question.

A callback is basically a Javascript function that can be called by the user agent. A numeric identifier is needed to be able to unregister the callback for cleanup. In Chrome we just find the next integer that's not assigned to any previously registered callback that hasn't been cancelled yet. I'd be wary putting this into an algorithm as it may restrict other user agents in their implementation and worse make web pages depend on the order of ids or something.

We can add a note that the identifier MUST not leak any privacy information, however I doubt that's very helpful.

@markafoltz
Copy link
Contributor Author

My reading was that "Callback device" is the device triggering the callback, e.g. a newly discovered remote playback device.

@markafoltz
Copy link
Contributor Author

I think a note clarifying the id generation mechanism would address this concern. I can propose a PR.

@avayvod
Copy link
Contributor

avayvod commented May 9, 2017

The id is returned way before any device is found (at least in the simple use case when availability starts as a result of watchAvailability). When the device is found, the callback is fired with a single boolean argument and its id doesn't change.
Clarifying the id generation would probably help eliminate confusion though I agree.

@markafoltz markafoltz mentioned this issue May 9, 2017
Merged
@avayvod
Copy link
Contributor

avayvod commented May 9, 2017

As a follow up on the PR #83, we might want to spec the uniqueness of the id (e.g. within a frame) so that web authors could rely on the behavior suggested by the example.

@markafoltz markafoltz mentioned this issue Jun 14, 2017
Merged
@markafoltz
Copy link
Contributor Author

Closing as I believe this is addressed by the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@markafoltz @avayvod