Define fingerprinting vector #115
Conversation
PR to add equivalent text in Infra: whatwg/infra#115
PR to add equivalent text in Infra: whatwg/infra#115
|
Hey, @othermaciej left some useful feedback in whatwg/html#3054 (comment) that suggests we should maybe rename this to "tracking vector" or some such. |
|
I think it might be useful to define both "fingerprinting vector" and "tracking vector" as a superset of "fingerprinting vector". The current definition seems to be just about fingerprinting. But we need a way to tag features like LocalStorage and BroadcastChannel, and those are tracking but not fingerprinting. |
|
@othermaciej should those exist separately? And do we want separate icons for both? Or would annotating all with "tracking vector" and mention the specifics on a per feature basis be sufficient? |
|
@annevk I am not sure. Browsers may care about fingerprinting vectors and other tracking vectors at different levels. For Safari/WebKit, we care about both, but recognize that fully mitigating fingerprinting is a harder problem. Marking the two cases differently might help get better review from interesting parties. Note: to be consistent, probably every stateful storage mechanism that exists in the web platform should be marked "tracking vector", including but not necessarily limited to: Session Storage, Local Storage, Cache API, HTTP cookies, IndexedDB, the HTTP cache, HSTS, HTTP ETags, SQL Storage, plugins (since many have their own storage mechanisms), CSS visited link history, Service Workers, Shared Workers. (I realize not all of these are defined or even mentioned in WHATWG Living Standards or other standards that make use of Infra). |
|
I'd like to push this forward as I think this is rather relevant these days. To keep it simple I suggest we go with "tracking vector" exclusively, defining it such that it is inclusive of fingerprinting. If at some point we establish that we need more categories we can cross that bridge then. |
|
I don't have strong feelings on "tracking vector" vs. "fingerprinting vector" or defining/using them both. But if we start with just "tracking vector" are we going to stick with fingerprint-style icons? Or do we need a different iconography for the more generic term? |
|
I'm fine with keeping the icon Simon created and using it for a broader purpose, but we could replace it if someone is able to create something suitable under CC0. |
|
I now think the fingerprint image I created looks kinda ugly, so I wouldn't mind a competing proposal. 🙂 |
|
I'd be happy to replace it if someone were to offer something under an equivalent license. Otherwise though, I'd rather move ahead with this than wait for something better to appear. |
There was a problem hiding this comment.
I left some comments on the assumption that this would be generalized to "tracking vector".
(To be clear, I strongly support adding this material to Infra, my comments are more about not making it sound like fingerprinting is the only tracking vector, and also about not justifying interest-based targeting, since it's not necessarily agreed to be benign.)
annevk
force-pushed
the
zcorpan/define-fingerprinting-vector
branch
from
bc4e8ec
to
6d19985
Compare
This depends on whatwg/wattsi#41, whatwg/infra#115 (which depends on speced/bikeshed#964), and whatwg/whatwg.org#64.
|
I've confirmed in a local build that the tracking vector paragraph gets a fingerprint icon, so no more need to wait for speced/bikeshed#964 (comment). |
|
Well, I'd like it to also link and use the remote icon and such. |
|
Yep, but Bikeshed's link will go to text that this PR is adding, so merging this shouldn't block on that. |
|
I suppose that's true, although the styling leaves to be desired. whatwg/whatwg.org#64 fixes that, but does depend on the other changes. Is there a reason to merge this early? Hopefully @tabatkins will soon be able to address the remaining issues. |
|
Tab has now done so and will add the link to Infra once this PR is merged. That seems fine as only HTML is impacted and HTML does not depend on Bikeshed. I've created speced/bikeshed#1578 so we can start using an external image here. I'll also check all the other PRs again to ensure everything is in order for the big switch. |
This depends on whatwg/wattsi#41, whatwg/infra#115 (which depends on speced/bikeshed#964), and whatwg/whatwg.org#64.
This allows other standards to designate something as a tracking vector and link this text for a centralized explanation. Fixes #20. Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
annevk
force-pushed
the
zcorpan/define-fingerprinting-vector
branch
from
84e3447
to
8d5fea4
Compare
|
As there's always one more thing: speced/bikeshed#1586. |
|
Apologies for the commit title. Fortunately the description does mention "tracking vector" so I was too enthusiastic about finally being able to land this. |
This depends on whatwg/wattsi#41, whatwg/infra#115 (which depends on speced/bikeshed#964), and whatwg/whatwg.org#64.
This builds on whatwg/wattsi#41, whatwg/infra#115 (which builds on speced/bikeshed#964), and whatwg/whatwg.org#64.
This builds on whatwg/wattsi#41, whatwg/infra#115 (which builds on speced/bikeshed#964), and whatwg/whatwg.org#64.
Fixes #20.
This is blocked by speced/bikeshed#964
Preview | Diff