[giow] (0) Try to improve the fingerprinting-avoidance advice for nav…

…igator.language Affected topics: DOM APIs, HTML git-svn-id: http://svn.whatwg.org/webapps@8231 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Oct 18, 2013 · ec66547 · ec66547
1 parent ccb010d
commit ec66547
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 32 deletions.
diff --git a/complete.html b/complete.html
@@ -72834,23 +72834,32 @@ <h5 id=language-preferences><span class=secno>7.6.1.2 </span>Language preference
 
   <dl><!--
    <dt><dfn title="dom-navigator-browserLanguage"><code>browserLanguage</code></dfn></dt> <!- - Opera and IE only - ->
-   <dd><p>Must return either the string "<code title="">en</code>" or a language tag representing
-   the language the browser uses in its interface.</p></dd>
+   <dd><p>Must return a language tag representing either <span>a plausible language</span> or the
+   language the browser uses in its interface.</p></dd>
 
 
    <dt><dfn title="dom-navigator-userLanguage"><code>userLanguage</code></dfn></dt> <!- - Opera and IE only - ->
    --><!-- at time of testing, this was supported by Opera, Safari, and Mozilla only --><dt><dfn id=dom-navigator-language title=dom-navigator-language><code>language</code></dfn></dt>
-   <dd><p>Must return either the string "<code title="">en</code>" or a valid BCP 47 language tag
-   representing the user's preferred language. <a href=#refsBCP47>[BCP47]</a></dd>
+   <dd><p>Must return a valid BCP 47 language tag representing either <a href=#a-plausible-language>a plausible
+   language</a> or the user's preferred language. <a href=#refsBCP47>[BCP47]</a></dd>
 
-  </dl><p class=warning>As for the API in the previous section, any information in this API that varies
-  from user to user can be used to profile or identify the user. For this reason, user agent
-  implementors are encouraged to return "en" unless the user has explicitly indicated that the site
-  in question is allowed access to the information.
-  <a href=#fingerprinting-vector class=fingerprint title="fingerprinting vector"><img src=http://images.whatwg.org/fingerprint.png width=46 alt="(This is a fingerprinting vector.)" height=64></a>
-  </p>
+  </dl><p>To determine <dfn id=a-plausible-language>a plausible language</dfn>, the user agent should bear in mind the following:</p>
 
-  </div>
+  <ul><li>Any information in this API that varies from user to user can be used to profile or identify
+   the user.
+   <a href=#fingerprinting-vector class=fingerprint title="fingerprinting vector"><img src=http://images.whatwg.org/fingerprint.png width=46 alt="(This is a fingerprinting vector.)" height=64></a>
+   </li>
+
+   <li>If the user is not using a service that obfuscates the user's point of origin (e.g. the Tor
+   anonymity network), then the value that is least likely to distinguish the user from other users
+   with similar origins (e.g. from the same IP address block) is the language used by the majority
+   of such users. <a href=#refsTOR>[TOR]</a></li>
+
+   <li>If the user is using an anonymizing service, then the value "<code title="">en-US</code>" is
+   suggested; if all users of the service use that same value, that reduces the possibility of
+   distinguishing the users from each other.</li>
+
+  </ul></div>
 
 
 
@@ -100584,6 +100593,9 @@ <h2 class=no-num id=references>References</h2><!--REFS-->
    <dt id=refsSVG>[SVG]</dt>
    <dd><cite><a href=http://www.w3.org/TR/SVGTiny12/>Scalable Vector Graphics (SVG) Tiny 1.2 Specification</a></cite>, O. Andersson, R. Berjon, E. Dahlstr&ouml;m, A. Emmons, J. Ferraiolo, A. Grasso, V. Hardy, S. Hayman, D. Jackson, C. Lilley, C. McCormack, A. Neumann, C. Northway, A. Quint, N. Ramani, D. Schepers, A. Shellshear. W3C.</dd>
 
+   <dt id=refsTOR>[TOR]</dt>
+   <dd>(Non-normative) <cite><a href=https://www.torproject.org/>Tor</a></cite>.</dd>
+
    <dt id=refsTYPEDARRAY>[TYPEDARRAY]</dt>
    <dd><cite><a href=http://www.khronos.org/registry/typedarray/specs/latest/>Typed Array Specification</a></cite>, D. Herman, K. Russell. Khronos.</dd>
 

diff --git a/index b/index
@@ -72834,23 +72834,32 @@ interface <dfn id=navigatorlanguage>NavigatorLanguage</dfn> {
 
   <dl><!--
    <dt><dfn title="dom-navigator-browserLanguage"><code>browserLanguage</code></dfn></dt> <!- - Opera and IE only - ->
-   <dd><p>Must return either the string "<code title="">en</code>" or a language tag representing
-   the language the browser uses in its interface.</p></dd>
+   <dd><p>Must return a language tag representing either <span>a plausible language</span> or the
+   language the browser uses in its interface.</p></dd>
 
 
    <dt><dfn title="dom-navigator-userLanguage"><code>userLanguage</code></dfn></dt> <!- - Opera and IE only - ->
    --><!-- at time of testing, this was supported by Opera, Safari, and Mozilla only --><dt><dfn id=dom-navigator-language title=dom-navigator-language><code>language</code></dfn></dt>
-   <dd><p>Must return either the string "<code title="">en</code>" or a valid BCP 47 language tag
-   representing the user's preferred language. <a href=#refsBCP47>[BCP47]</a></dd>
+   <dd><p>Must return a valid BCP 47 language tag representing either <a href=#a-plausible-language>a plausible
+   language</a> or the user's preferred language. <a href=#refsBCP47>[BCP47]</a></dd>
 
-  </dl><p class=warning>As for the API in the previous section, any information in this API that varies
-  from user to user can be used to profile or identify the user. For this reason, user agent
-  implementors are encouraged to return "en" unless the user has explicitly indicated that the site
-  in question is allowed access to the information.
-  <a href=#fingerprinting-vector class=fingerprint title="fingerprinting vector"><img src=http://images.whatwg.org/fingerprint.png width=46 alt="(This is a fingerprinting vector.)" height=64></a>
-  </p>
+  </dl><p>To determine <dfn id=a-plausible-language>a plausible language</dfn>, the user agent should bear in mind the following:</p>
 
-  </div>
+  <ul><li>Any information in this API that varies from user to user can be used to profile or identify
+   the user.
+   <a href=#fingerprinting-vector class=fingerprint title="fingerprinting vector"><img src=http://images.whatwg.org/fingerprint.png width=46 alt="(This is a fingerprinting vector.)" height=64></a>
+   </li>
+
+   <li>If the user is not using a service that obfuscates the user's point of origin (e.g. the Tor
+   anonymity network), then the value that is least likely to distinguish the user from other users
+   with similar origins (e.g. from the same IP address block) is the language used by the majority
+   of such users. <a href=#refsTOR>[TOR]</a></li>
+
+   <li>If the user is using an anonymizing service, then the value "<code title="">en-US</code>" is
+   suggested; if all users of the service use that same value, that reduces the possibility of
+   distinguishing the users from each other.</li>
+
+  </ul></div>
 
 
 
@@ -100584,6 +100593,9 @@ if (s = prompt('What is your name?')) {
    <dt id=refsSVG>[SVG]</dt>
    <dd><cite><a href=http://www.w3.org/TR/SVGTiny12/>Scalable Vector Graphics (SVG) Tiny 1.2 Specification</a></cite>, O. Andersson, R. Berjon, E. Dahlstr&ouml;m, A. Emmons, J. Ferraiolo, A. Grasso, V. Hardy, S. Hayman, D. Jackson, C. Lilley, C. McCormack, A. Neumann, C. Northway, A. Quint, N. Ramani, D. Schepers, A. Shellshear. W3C.</dd>
 
+   <dt id=refsTOR>[TOR]</dt>
+   <dd>(Non-normative) <cite><a href=https://www.torproject.org/>Tor</a></cite>.</dd>
+
    <dt id=refsTYPEDARRAY>[TYPEDARRAY]</dt>
    <dd><cite><a href=http://www.khronos.org/registry/typedarray/specs/latest/>Typed Array Specification</a></cite>, D. Herman, K. Russell. Khronos.</dd>
 

diff --git a/source b/source
@@ -81419,25 +81419,38 @@ interface <dfn>NavigatorLanguage</dfn> {
 
    <!--
    <dt><dfn data-x="dom-navigator-browserLanguage"><code>browserLanguage</code></dfn></dt> <!- - Opera and IE only - ->
-   <dd><p>Must return either the string "<code data-x="">en</code>" or a language tag representing
-   the language the browser uses in its interface.</p></dd>
+   <dd><p>Must return a language tag representing either <span>a plausible language</span> or the
+   language the browser uses in its interface.</p></dd>
 
 
    <dt><dfn data-x="dom-navigator-userLanguage"><code>userLanguage</code></dfn></dt> <!- - Opera and IE only - ->
    -->
    <!-- at time of testing, this was supported by Opera, Safari, and Mozilla only -->
    <dt><dfn data-x="dom-navigator-language"><code>language</code></dfn></dt>
-   <dd><p>Must return either the string "<code data-x="">en</code>" or a valid BCP 47 language tag
-   representing the user's preferred language. <a href="#refsBCP47">[BCP47]</a></p></dd>
+   <dd><p>Must return a valid BCP 47 language tag representing either <span>a plausible
+   language</span> or the user's preferred language. <a href="#refsBCP47">[BCP47]</a></p></dd>
 
   </dl>
 
-  <p class="warning">As for the API in the previous section, any information in this API that varies
-  from user to user can be used to profile or identify the user. For this reason, user agent
-  implementors are encouraged to return "en" unless the user has explicitly indicated that the site
-  in question is allowed access to the information.
-  <!--INSERT FINGERPRINT-->
-  </p>
+  <p>To determine <dfn>a plausible language</dfn>, the user agent should bear in mind the following:</p>
+
+  <ul>
+
+   <li>Any information in this API that varies from user to user can be used to profile or identify
+   the user.
+   <!--INSERT FINGERPRINT-->
+   </li>
+
+   <li>If the user is not using a service that obfuscates the user's point of origin (e.g. the Tor
+   anonymity network), then the value that is least likely to distinguish the user from other users
+   with similar origins (e.g. from the same IP address block) is the language used by the majority
+   of such users. <a href="#refsTOR">[TOR]</a></li>
+
+   <li>If the user is using an anonymizing service, then the value "<code data-x="">en-US</code>" is
+   suggested; if all users of the service use that same value, that reduces the possibility of
+   distinguishing the users from each other.</li>
+
+  </ul>
 
   </div>
 
@@ -112418,6 +112431,9 @@ if (s = prompt('What is your name?')) {
    <dd><cite><a
    href="http://www.nectec.or.th/it-standards/std620/std620.htm">UDC 681.3.04:003.62</a></cite>. Thai Industrial Standards Institute, Ministry of Industry, Royal Thai Government. ISBN 974-606-153-4.</dd>
 
+   <dt id="refsTOR">[TOR]</dt>
+   <dd>(Non-normative) <cite><a href="https://www.torproject.org/">Tor</a></cite>.</dd>
+
    <dt id="refsTURN">[TURN]</dt>
    <dd><cite><a href="http://tools.ietf.org/html/rfc5766">Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)</a></cite>, R. Mahy, P. Matthews, J. Rosenberg. IETF.</dd>