W3C home > Mailing lists > Public > www-dom@w3.org > January to March 2013

Re: Re: Re: Keyboard events for accessible RIAs and Games

From: Wez <wez@google.com>
Date: Thu, 31 Jan 2013 10:01:34 -0800
Message-ID: <CALekkJcpGfNQA-vyvRdbqH_KOCCHFF9DwxTxj7Pvzyx13VMu3w@mail.gmail.com>
To: Hallvord Reiar Michaelsen Steen <hallvord@opera.com>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, www-dom@w3.org, Florian Bösch <pyalot@gmail.com>
On 31 Jan 2013 04:50, "Hallvord Reiar Michaelsen Steen" <hallvord@opera.com>
wrote:
>
>
> >> Well yes, implicitly you did. If a random website can figure out where
keys
> >> are on your keyboard (i.e. what layout you are using) it is an extra
data
> >> point for fingerprinting / tracking users.
>
>
> > I strongly disagree with that we should sacrifice accessability and
> > i18n on the altar of fingerprinting concerns.
>
>
> Let's try to solve the problem rather than stating disagreement. We have
- here and many, many other places - conflicting goals between enabling
features and protecting users from some potential abuse. We're discussing
this in order to balance both concerns without "sacrificing" anything - as
long as we find a way forward.
>
> > The HTTP header "accept-language" defined by HTTP 1.1 section 1.4.4
> > http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html already provides
the users
> > locale. A users locale has a strong correlation to a users keyboard
layout.
>
>
> This is definitely true, however for fingerprinting the devil really is
in the details. So I'm that guy requesting nn-NO with an en-GB keyboard
(bought laptop while living in London ages ago). Plus surfing with Opera.
There's probably only one of me ;-).

In this case the code translation API will behave as if nn-NO were in
effect - the fact that you have that but an en-GB keyboard only becomes
relevant if you press a key not normally present on nn-NO, which should be
a relatively easy corner-case to address.

> > If the intent is to avoid adding identifyable bits by preventing locale
sniffing
> > that train is gone with accept-language.
>
>
> The problem with fingerprinting is that the more bits of information we
add, the easier it gets.
>
>
> Anyway, we are (again) up against the old problem that browsers aren't
very good at letting users say "I trust this site". IMHO browsers should
have a "Trusted sites" list as a prominent part of their UI. IE's security
zones was an attempt at solving this, but the implementation IMO wasn't
really usable. For all I know the FirefoxOS "every site can be an app"
approach is a way to get there, if the app-bookmarked-sites get extra
privileges?
>
>
> --
> Hallvord R. M. Steen
> Core tester, Opera Software
>
>
>
>
>
>
Received on Thursday, 31 January 2013 19:38:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 31 January 2013 19:38:12 GMT