- From: Harald Alvestrand <harald@alvestrand.no>
- Date: Fri, 26 Sep 2014 10:25:36 +0200
- To: public-media-capture@w3.org
- Message-ID: <54252300.7030403@alvestrand.no>
On 09/25/2014 06:21 PM, Shijun Sun wrote: > Folks, > > I expect there is a consensus already in the WG on the topic. I'd like to get some help to understand the mitigation mainly from the UA implementation perspective. > > The deviceId is currently defined as an identifier which must be *persistent* between application sessions. So a website can get the same deviceId's when a user visits the website using the same system, calling gUM() or not. Should we expect the deviceId's for any specific website be (largely) consistent across all systems? Otherwise, in the worst case when the Id is unique to each system, the website can potentially track the user. Can you clarify what you mean by "system" in this case? Web pages of the same origin? If they have the same origin, they should see the same deviceId; if they have different origins, they should see different deviceIds. Spec text: "Devices have an identifier which/must/be unique to the application (un-guessable by another application) and persistent between application sessions (e.g., the identifier for a given source device/application must stay the same, but not be guessable by another application)." Yes, a web site that can already track the user using cookies can already track the user, so there is no additional attack that we need to defend against by changing deviceId. Yes, "re-randomize deviceId when cookies are cleared" was agreed to, and needs to be added to the spec. It's already implemented in Chrome, I believe. Note to editors: The term "application" needs to be defined in the document, with the explanation that all pages of an application have the same origin. > > Appreciate any comment! > > Best, Shijun >
Received on Friday, 26 September 2014 08:26:05 UTC