[e] (0) Mark features that can be used for fingerprinting. I'm sure I…

… missed some, please don't hesitate to point them out to me. Even if they only contribute half a bit of data. Affected topics: Canvas, DOM APIs, HTML, Web Storage git-svn-id: http://svn.whatwg.org/webapps@7205 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Jul 26, 2012 · 88c2b92 · 88c2b92
1 parent e39bedd
commit 88c2b92
Show file tree

Hide file tree

Showing 3 changed files with 401 additions and 75 deletions.
diff --git a/complete.html b/complete.html
@@ -110,6 +110,8 @@
    [hidden] { display: none; }
   </style><style type=text/css>
 
+   .fingerprint { float: right; }
+
    .applies thead th > * { display: block; }
    .applies thead code { display: block; }
    .applies tbody th { whitespace: nowrap; }
@@ -294,16 +296,17 @@ <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 26 July 2012</h2>
     <ol>
      <li><a href=#how-to-read-this-specification><span class=secno>1.9.1 </span>How to read this specification</a></li>
      <li><a href=#typographic-conventions><span class=secno>1.9.2 </span>Typographic conventions</a></ol></li>
-   <li><a href=#a-quick-introduction-to-html><span class=secno>1.10 </span>A quick introduction to HTML</a>
+   <li><a href=#fingerprint><span class=secno>1.10 </span>Privacy concerns</a></li>
+   <li><a href=#a-quick-introduction-to-html><span class=secno>1.11 </span>A quick introduction to HTML</a>
     <ol>
-     <li><a href=#writing-secure-applications-with-html><span class=secno>1.10.1 </span>Writing secure applications with HTML</a></li>
-     <li><a href=#common-pitfalls-to-avoid-when-using-the-scripting-apis><span class=secno>1.10.2 </span>Common pitfalls to avoid when using the scripting APIs</a></ol></li>
-   <li><a href=#conformance-requirements-for-authors><span class=secno>1.11 </span>Conformance requirements for authors</a>
+     <li><a href=#writing-secure-applications-with-html><span class=secno>1.11.1 </span>Writing secure applications with HTML</a></li>
+     <li><a href=#common-pitfalls-to-avoid-when-using-the-scripting-apis><span class=secno>1.11.2 </span>Common pitfalls to avoid when using the scripting APIs</a></ol></li>
+   <li><a href=#conformance-requirements-for-authors><span class=secno>1.12 </span>Conformance requirements for authors</a>
     <ol>
-     <li><a href=#presentational-markup><span class=secno>1.11.1 </span>Presentational markup</a></li>
-     <li><a href=#syntax-errors><span class=secno>1.11.2 </span>Syntax errors</a></li>
-     <li><a href=#restrictions-on-content-models-and-on-attribute-values><span class=secno>1.11.3 </span>Restrictions on content models and on attribute values</a></ol></li>
-   <li><a href=#recommended-reading><span class=secno>1.12 </span>Recommended reading</a></ol></li>
+     <li><a href=#presentational-markup><span class=secno>1.12.1 </span>Presentational markup</a></li>
+     <li><a href=#syntax-errors><span class=secno>1.12.2 </span>Syntax errors</a></li>
+     <li><a href=#restrictions-on-content-models-and-on-attribute-values><span class=secno>1.12.3 </span>Restrictions on content models and on attribute values</a></ol></li>
+   <li><a href=#recommended-reading><span class=secno>1.13 </span>Recommended reading</a></ol></li>
  <li><a href=#infrastructure><span class=secno>2 </span>Common infrastructure</a>
   <ol>
    <li><a href=#terminology><span class=secno>2.1 </span>Terminology</a>
@@ -2059,8 +2062,90 @@ <h4 id=typographic-conventions><span class=secno>1.9.2 </span>Typographic conven
   <p class=impl>This is an implementation requirement.</p>
 
 
+  <h3 id=fingerprint><span class=secno>1.10 </span>Privacy concerns</h3>
+
+  <p><i>This section is non-normative.</i></p>
+
+  <p>Some features of HTML trade user convenience for a measure of
+  user privacy.</p>
+
+  <p>In general, due to the Internet's architecture, a user can be
+  distinguished from another by the user's IP address. IP addresses do
+  not perfectly match to a user; as a user moves from device to
+  device, or from network to network, their IP address will change;
+  similarly, NAT routing, proxy servers, and shared computers enable
+  packets that appear to all come from a single IP address to actually
+  map to multiple users. Technologies such as onion routing can be
+  used to further anonymize requests so that requests from a single
+  user at one node on the Internet appear to come from many disparate
+  parts of the network.</p>
+
+  <p>However, the IP address used for a user's requests is not the
+  only mechanism by which a user's requests could be related to each
+  other. Cookies, for example, are designed specifically to enable
+  this, and are the basis of most of the Web's session features that
+  enable you to log into a site with which you have an account.</p>
+
+  <p>There are other mechanisms that are more subtle. Certain
+  characteristics of a user's system can be used to distinguish groups
+  of users from each other; by collecting enough such information, an
+  individual user's browser's "digital fingerprint" can be computed,
+  which can be as good, if not better, as an IP address in
+  ascertaining which requests are from the same user.</p>
+
+  <p>Grouping requests in this manner, especially across multiple
+  sites, can be used for both benign (and even arguably positive)
+  purposes, as well as for malevolent purposes. An example of a
+  reasonably benign purpose would be determining whether a particular
+  person seems to prefer sites with dog illustrations as opposed to
+  sites with cat illstrations (based on how often they visit the sites
+  in question) and then automatically using the preferred
+  illustrations on subsequent visits to participating sites.
+  Malevolent purposes, however, could include governments combining
+  information such as the person's home address (determined from the
+  addresses they use when getting driving directions on one site) with
+  their apparent political affiliations (determined by examining the
+  forum sites that they participate in) to determine whether the
+  person should be prevented from voting in an election.</p>
+
+  <p>Since the malevolent purposes can be remarkably evil, user agent
+  implementors are encouraged to consider how to provide their users
+  with tools to minimise leaking information that could be used to
+  fingerprint a user.</p>
+
+  <p>Unfortunately, as the first paragraph in this section implies,
+  sometimes there is great benefit to be derived from exposing the
+  very information that can also be used for fingerprinting purposes,
+  so it's not as easy as simply blocking all possible leaks. For
+  instance, the ability to log into a site to post under a specific
+  identity requires that the user's requests be identifiable as all
+  being from the same user, more or less by definition. More subtly,
+  though, information such as how wide text is, which is necessary for
+  many effects that involve drawing text onto a canvas (e.g. any
+  effect that involves drawing a border around the text) also leaks
+  information that can be used to group a user's requests. (In this
+  case, by potentially exposing, via a brute force search, which fonts
+  a user has installed, information which can vary considerably from
+  user to user.)</p>
+
+  <p>Features in this specification which can be used to fingerprint
+  the user are marked as this paragraph is.
+  <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+  </p>
+
+  <p>Other features in the platform can be used for the same purpose,
+  though, including, though not limited to:</p>
+
+  <ul><li>The exact list of which features a user agents supports.</li>
 
-  <h3 id=a-quick-introduction-to-html><span class=secno>1.10 </span>A quick introduction to HTML</h3>
+   <li>The maximum allowed stack depth for recursion in script.</li>
+
+   <li>Features that describe the user's environment, like Media
+   Queries and the <code><a href=#screen>Screen</a></code> object. <a href=#refsMQ>[MQ]</a> <a href=#refsCSSOMVIEW>[CSSOMVIEW]</a></li>
+
+   <li>The user's time zone.</li>
+
+  </ul><h3 id=a-quick-introduction-to-html><span class=secno>1.11 </span>A quick introduction to HTML</h3>
 
   <p><i>This section is non-normative.</i></p>
 
@@ -2211,7 +2296,7 @@ <h3 id=a-quick-introduction-to-html><span class=secno>1.10 </span>A quick introd
   understand at first.</p>
 
 <!--ADD-TOPIC:Security-->
-  <h4 id=writing-secure-applications-with-html><span class=secno>1.10.1 </span>Writing secure applications with HTML</h4>
+  <h4 id=writing-secure-applications-with-html><span class=secno>1.11.1 </span>Writing secure applications with HTML</h4>
 
   <p><i>This section is non-normative.</i></p>
 
@@ -2354,7 +2439,7 @@ <h4 id=writing-secure-applications-with-html><span class=secno>1.10.1 </span>Wri
 
    </dd>
 
-  </dl><!--REMOVE-TOPIC:Security--><h4 id=common-pitfalls-to-avoid-when-using-the-scripting-apis><span class=secno>1.10.2 </span>Common pitfalls to avoid when using the scripting APIs</h4>
+  </dl><!--REMOVE-TOPIC:Security--><h4 id=common-pitfalls-to-avoid-when-using-the-scripting-apis><span class=secno>1.11.2 </span>Common pitfalls to avoid when using the scripting APIs</h4>
 
   <p><i>This section is non-normative.</i></p>
 
@@ -2417,7 +2502,7 @@ <h4 id=writing-secure-applications-with-html><span class=secno>1.10.1 </span>Wri
 
 
 
-  <h3 id=conformance-requirements-for-authors><span class=secno>1.11 </span>Conformance requirements for authors</h3>
+  <h3 id=conformance-requirements-for-authors><span class=secno>1.12 </span>Conformance requirements for authors</h3>
 
   <p><i>This section is non-normative.</i></p>
 
@@ -2437,7 +2522,7 @@ <h3 id=conformance-requirements-for-authors><span class=secno>1.11 </span>Confor
   document and one with errors.</p>
 
 
-  <h4 id=presentational-markup><span class=secno>1.11.1 </span>Presentational markup</h4>
+  <h4 id=presentational-markup><span class=secno>1.12.1 </span>Presentational markup</h4>
 
   <p><i>This section is non-normative.</i></p>
 
@@ -2512,7 +2597,7 @@ <h4 id=presentational-markup><span class=secno>1.11.1 </span>Presentational mark
   <code><a href=#the-s-element>s</a></code>, <code><a href=#the-small-element>small</a></code>, and <code><a href=#the-u-element>u</a></code>.</p>
 
 
-  <h4 id=syntax-errors><span class=secno>1.11.2 </span>Syntax errors</h4>
+  <h4 id=syntax-errors><span class=secno>1.12.2 </span>Syntax errors</h4>
 
   <p><i>This section is non-normative.</i></p>
 
@@ -2773,7 +2858,7 @@ <h4 id=syntax-errors><span class=secno>1.11.2 </span>Syntax errors</h4>
 
 
 
-  <h4 id=restrictions-on-content-models-and-on-attribute-values><span class=secno>1.11.3 </span>Restrictions on content models and on attribute values</h4>
+  <h4 id=restrictions-on-content-models-and-on-attribute-values><span class=secno>1.12.3 </span>Restrictions on content models and on attribute values</h4>
 
   <p><i>This section is non-normative.</i></p>
 
@@ -3017,7 +3102,7 @@ <h4 id=restrictions-on-content-models-and-on-attribute-values><span class=secno>
 
    </dd>
 
-  </dl><h3 id=recommended-reading><span class=secno>1.12 </span>Recommended reading</h3>
+  </dl><h3 id=recommended-reading><span class=secno>1.13 </span>Recommended reading</h3>
 
   <p><i>This section is non-normative.</i></p>
 
@@ -8236,7 +8321,9 @@ <h3 id=fetching-resources><span class=secno>2.7 </span>Fetching resources</h3>
 
      <li><p>Take ownership of the <a href=#storage-mutex>storage mutex</a>.</li>
 
-     <li><p>Update the cookies. <a href=#refsCOOKIES>[COOKIES]</a></li>
+     <li><p>Update the cookies. <a href=#refsCOOKIES>[COOKIES]</a>
+     <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+     </li>
 
      <li><p>Release the <a href=#storage-mutex>storage mutex</a> so that it is once
      again free.</li>
@@ -10078,8 +10165,8 @@ <h4 id=resource-metadata-management><span class=secno>3.1.3 </span><dfn>Resource
   </dl><div class=impl>
 
   <p>The <dfn id=dom-document-cookie title=dom-document-cookie><code>cookie</code></dfn>
-  attribute represents the cookies of the resource from which the
-  <code><a href=#document>Document</a></code> was created.</p>
+  attribute represents the cookies of the resource identified by
+  <a href="#the-document's-address">the document's address</a>.</p>
 
   <p>A <code><a href=#document>Document</a></code> object that falls into one of the
   following conditions is a <dfn id=cookie-averse-document-object>cookie-averse <code>Document</code>
@@ -10103,7 +10190,9 @@ <h4 id=resource-metadata-management><span class=secno>3.1.3 </span><dfn>Resource
   first <a href=#obtain-the-storage-mutex>obtain the storage mutex</a> and then return the
   cookie-string for <a href="#the-document's-address">the document's address</a> for a
   "non-HTTP" API, <a href=#decoded-as-utf-8,-with-error-handling>decoded as UTF-8, with error handling</a>.
-  <a href=#refsCOOKIES>[COOKIES]</a></p>
+  <a href=#refsCOOKIES>[COOKIES]</a>
+  <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+  </p>
 
   <p>On setting, if the document is a <a href=#cookie-averse-document-object>cookie-averse
   <code>Document</code> object</a>, then the user agent must do
@@ -36057,7 +36146,7 @@ <h6 id=resolution><span class=secno>4.8.11.1.1 </span>Resolution</h6>
 
   <p>All the bitmaps created during a single <a href=#concept-task title=concept-task>task</a> for canvases that use 2D contexts
   must have the same resolution.
-  <!--XXX 4INSERT FINGERPRINT-->
+  <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
   </p>
 
   <pre class=idl>partial interface <a href=#screen>Screen</a> {
@@ -38786,7 +38875,9 @@ <h6 id=drawing-text-to-the-canvas><span class=secno>4.8.11.1.11 </span>Drawing t
   <code><a href=#securityerror>SecurityError</a></code> exception.
 <!--REMOVE-TOPIC:Security-->
   Otherwise, it must return the new <code><a href=#textmetrics>TextMetrics</a></code> object.
-  <a href=#refsCSS>[CSS]</a></p>
+  <a href=#refsCSS>[CSS]</a>
+  <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+  </p>
 
   </div>
 
@@ -49978,7 +50069,9 @@ <h6 id="submit-button-state-(type=submit)"><span class=secno>4.10.7.1.19 </span>
   element has a <code title=attr-input-value><a href=#attr-input-value>value</a></code> attribute,
   the button's label must be the value of that attribute; otherwise,
   it must be an implementation-defined string that means "Submit" or
-  some such.</span> The element is a <a href=#concept-button title=concept-button>button</a>, specifically a <a href=#concept-submit-button title=concept-submit-button>submit button</a>.</p>
+  some such.</span> The element is a <a href=#concept-button title=concept-button>button</a>, specifically a <a href=#concept-submit-button title=concept-submit-button>submit button</a>.
+  <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+  </p>
 
   <div class=impl>
 
@@ -50331,7 +50424,9 @@ <h6 id="reset-button-state-(type=reset)"><span class=secno>4.10.7.1.21 </span><d
   element has a <code title=attr-input-value><a href=#attr-input-value>value</a></code> attribute,
   the button's label must be the value of that attribute; otherwise,
   it must be an implementation-defined string that means "Reset" or
-  some such.</span> The element is a <a href=#concept-button title=concept-button>button</a>.</p>
+  some such.</span> The element is a <a href=#concept-button title=concept-button>button</a>.
+  <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+  </p>
 
   <div class=impl>
 
@@ -72434,7 +72529,9 @@ <h4 id=enabling-and-disabling-scripting><span class=secno>7.1.2 </span>Enabling
    <li>The user has not disabled scripting for this <a href=#browsing-context>browsing
    context</a> at this time. (User agents may provide users with
    the option to disable scripting globally, or in a finer-grained
-   manner, e.g. on a per-origin basis.)</li>
+   manner, e.g. on a per-origin basis.)
+   <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+   </li>
 
    <li id=sandboxScriptBlocked>The <a href=#browsing-context>browsing context</a>'s
    <a href=#active-document>active document</a>'s <a href=#active-sandboxing-flag-set>active sandboxing flag
@@ -75014,7 +75111,9 @@ <h5 id=client-identification><span class=secno>7.5.1.1 </span>Client identificat
   to user can be used to profile the user. In fact, if enough such
   information is available, a user can actually be uniquely
   identified. For this reason, user agent implementors are strongly
-  urged to include as little information in this API as possible.</p>
+  urged to include as little information in this API as possible.
+  <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+  </p>
 
   </div>
 
@@ -75330,7 +75429,9 @@ <h5 id=custom-handlers><span class=secno>7.5.1.2 </span>Custom scheme and conten
   closely describes the current state of the handler described by the
   two arguments to the method, where the first argument gives the
   scheme and the second gives the string used to build the
-  <a href=#url>URL</a> of the page that will handle the requests.</p>
+  <a href=#url>URL</a> of the page that will handle the requests.
+  <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+  </p>
 
   <p>The first argument must be compared to the schemes for which
   custom protocol handlers are registered in an <a href=#ascii-case-insensitive>ASCII
@@ -75345,7 +75446,9 @@ <h5 id=custom-handlers><span class=secno>7.5.1.2 </span>Custom scheme and conten
   closely describes the current state of the handler described by the
   two arguments to the method, where the first argument gives the
   <a href=#mime-type>MIME type</a> and the second gives the string used to build
-  the <a href=#url>URL</a> of the page that will handle the requests.</p>
+  the <a href=#url>URL</a> of the page that will handle the requests.
+  <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+  </p>
 
   <p>The first argument must be compared to the <a href=#mime-type title="MIME
   type">MIME types</a> for which custom content handlers are
@@ -75717,7 +75820,9 @@ <h4 id=the-external-interface><span class=secno>7.5.2 </span>The <code><a href=#
     <a href=#url>URL</a> to an OpenSearch description document. <a href=#refsOPENSEARCH>[OPENSEARCH]</a></li>
 
    </ol><p>The <dfn id=dom-external-issearchproviderinstalled title=dom-external-IsSearchProviderInstalled><code>IsSearchProviderInstalled()</code></dfn>
-   method, when invoked, must run the following steps:</p>
+   method, when invoked, must run the following steps:
+   <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+   </p>
 
    <ol><li><p>Optionally, return 0 and abort these steps. User agents may
     implement the method as a stub method that never returns a
@@ -85042,7 +85147,9 @@ <h4 id=the-localstorage-attribute><span class=secno>11.2.3 </span>The <code titl
 
   <p>The <dfn id=dom-localstorage title=dom-localStorage><code>localStorage</code></dfn>
   object provides a <code><a href=#storage-0>Storage</a></code> object for an
-  <a href=#origin>origin</a>.</p>
+  <a href=#origin>origin</a>.
+  <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+  </p>
 
   <p>User agents must have a set of local storage areas, one for each
   <a href=#origin>origin</a>.</p>