- From: David Singer <singer@apple.com>
- Date: Thu, 12 Oct 2017 12:39:48 +0200
- To: Mike O'Neill <michael.oneill@baycloud.com>
- Cc: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
> On Oct 12, 2017, at 11:49 , Mike O'Neill <michael.oneill@baycloud.com> wrote: > >>> This lets a bad actor misuse the API for fingerprinting. Specify an > arbitrary string then always get the same string back >>> in other requests. > >> Um, Mike, it’s only going to servers that the user has agreed may track. > I’m not terribly fussed about improve the >> fingerprintability of users who already agree to being tracked. > > The bad actor won't care if the user has agreed or not, they will just use > the API (from a subresource). It gets round any third-party cookie blocking, > so it will happen. > > Mike, if a bad actor (a) can set an exception that claims to have the user’s consent but does not or (b) leverages an exception that has been granted based on another’s request (e.g. a site-wide), to do evil, the presence of a slightly larger fingerprint is a minor concern. > On Oct 12, 2017, at 11:49 , Mike O'Neill <michael.oneill@baycloud.com> wrote: > > When the store API is called it would fetch the TSRs for each of the > Targets, we already say they may do that. The TSRs are then put into domain > specific store (maybe just the purpose array ). When requests get sent the > domain store is examined (it must anyway, if only to get cookies) and the > DNT extension is calculated. Pretty efficient. The UA can only fetch the TSR for named targets, not for a site-wide (target=“*”) exception. And if the array of targets in the exception request is large, this could be very tedious. David Singer Manager, Software Standards, Apple Inc.
Received on Thursday, 12 October 2017 10:40:40 UTC