W3C home > Mailing lists > Public > public-css-archive@w3.org > January 2021

Re: [csswg-drafts] [css-color-4][css-color-adjust-1] Shielding system colors to avoid fingerprinting? (#5710)

From: sysrqb via GitHub <sysbot+gh@w3.org>
Date: Thu, 21 Jan 2021 03:35:23 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-764211053-1611200122-sysbot+gh@w3.org>
I'm providing a privacy review of this draft.

The information leakage in the forced-color property is quite concerning. As the feature is specified, the privacy and security risk is not only fingerprinting, but it is potentially revealing information about a user's health/physical condition. I understand the significant benefits in providing a mechanism for adjusting sites to meet the needs of the user, however it seems the current design allows a web page to abuse this information, too. I recommend considering options (2) or (3). Alternatively, the "correctness" of the response from getComputedStyle seems like functionality that could be gated behind a permission prompt.

Separately, regarding the color-scheme, I recommend limiting the addition of new schemes in the future.

-- 
GitHub Notification of comment by sysrqb
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5710#issuecomment-764211053 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 21 January 2021 03:35:24 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 19 October 2021 01:31:38 UTC