[csswg-drafts] [css-text-3] Privacy Review - fingerprintability of the dictionaries (#5630)

kdzwinel has just created a new issue for https://github.com/w3c/csswg-drafts:

== [css-text-3] Privacy Review - fingerprintability of the dictionaries ==
Hey everyone 👋 Togheter with @dharb we conducted a privacy review of the CSS Text Module level 3 and presented it on the last PING meeting ([minutes](https://cryptpad.w3ctag.org/code/#/2/code/edit/4ht9YHtVS9AB4UBlh-oPvHej/)).

Two issues that we noted were:

**A.** Amount of details left up to UA can help uniquely identify browser vendor and, possibly, even individual browser versions (this was noted in https://github.com/w3c/csswg-drafts/issues/5574). We had a brief discussion about this with the group and concluded that the concern is minor as ATM those details are still being revealed by the user agent string.

**B.** Website can detect installed dictionaries by e.g. testing for language-specific hyphenation. This is much more concerning assuming that users can have a unique combination or versions of dictionaries installed. That being said, we didn't have enough knowledge about how those dictionaries are installed to fully asses the risk, so we decided to follow up with some questions:

1. Are browsers shipping with build-in dictionaries or are they using system dictionaries?
2. Are browsers shipping with all dictionaries or maybe only a dictionary matching the browser language?
3. Are those dictionaries used for anything else in the browsers today that's already known to be detectable?

I realize that those questions are asking about individual implementations and not the spec, but we are trying to asses the risk in the wild. All help answering those will be much appreciated 🙇‍♂️

Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5630 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 16 October 2020 21:56:07 UTC