Re: [compute-pressure] Feature can be abused to create cross-site covert channels (#197) from Anssi Kostiainen via GitHub on 2023-06-15 (public-device-apis-log@w3.org from June 2023)

From: Anssi Kostiainen via GitHub <sysbot+gh@w3.org>
Date: Thu, 15 Jun 2023 13:37:18 +0000
To: public-device-apis-log@w3.org
Message-ID: <issue_comment.created-1593082015-1686836234-sysbot+gh@w3.org>

@toreini thanks for your review and insightful comments!

Per https://www.w3.org/2001/tag/doc/private-browsing-modes/#features-supporting-private-browsing I think we should informatively guide implementers on options how they might alter the behaviour when in a private browsing mode. The use of the [implementation-defined](https://infra.spec.whatwg.org/#implementation-defined) keyword would allow for that even in the context of normative prose. As discussed in that TAG Finding, we don't want the use of a private browsing mode to become a fingerprint itself for this API and as such should not define normatively how implementers must (in RFC 2119 terms) react if such a mode is turned on.

The design goal should be that it would be difficult if not impossible to detect by observing this API alone whether the private browsing mode is on.

-- 
GitHub Notification of comment by anssiko
Please view or discuss this issue at https://github.com/w3c/compute-pressure/issues/197#issuecomment-1593082015 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 15 June 2023 13:37:20 UTC