[mediacapture-main] Browsing sessions and device IDs from Martin Thomson via GitHub on 2016-03-08 (public-media-capture@w3.org from March 2016)

From: Martin Thomson via GitHub <sysbot+gh@w3.org>
Date: Tue, 08 Mar 2016 04:58:22 +0000
To: public-media-capture@w3.org
Message-ID: <issues.opened-139181881-1457413101-sysbot+gh@w3.org>

martinthomson has just created a new issue for 
https://github.com/w3c/mediacapture-main:

== Browsing sessions and device IDs ==
We've had a fair bit of back-and-forth about this at Mozilla (I hope 
to have https://bugzilla.mozilla.org/show_bug.cgi?id=1223773 opened so
 people can see that discussion, but it's still locked down).

The definition of "browsing session", which was created after the term
 was used in gUM is here, is a poor fit here.  In that bug, @jan-ivar 
was motivated to go to somewhat extraordinary efforts to be compliant 
with the definition we have (see aforementioned bug).  That would be 
OK, except that it didn't really address a security issue.

Architecturally speaking, sites need to have a consistent view of any 
persistent state that a browser retains for them.  This includes 
device identifiers, which are, for better or worse, a form of 
persistent identifier.  Requiring identifiers to be discarded at 
specific points in time, as the current text does, and on a different 
timeline to other persisted state, can harm that view unnecessarily.  
There is no security or privacy advantage to be gained by throwing 
away this state, but site integrity can be adversely affected.

I suggest that "browser session" isn't a good fit for what we want to 
have for the lifetime of device identifiers.

We've been around this problem a few times, and I think that 
ultimately we will find it hard to agree on a single lifetime for 
these identifiers.  However, I think that we can and should set 
expectations.  I propose:

1. That the minimum time over which the identifiers persist, absent 
user override, is a browsing session.  That is, unless a user 
intervenes, device identifiers are constant for a given origin for the
 duration of a browsing session.

2. That browsers be permitted to persist those identifiers after that,
 but they not be required to.

This allows a browser to drop identifiers on shutdown (whatever that 
means), or to run a timer, or to watch for the last window open to an 
origin to close and nuke at that point.  It also allows for different 
policies during normal and "private" browsing.

Ideally, we would persist these identifiers just like other 
origin-specific state, but the cost of implementing that vs. the 
benefit was considered and I don't think that we wanted to invest that
 effort.  I think that we would if we all decided that was the right 
thing to do.  I think that it is, but consider the value to be 
dismally low.  Thus, I did not propose this as a third part to the 
above proposal, but would support that if others do.

Please view or discuss this issue at 
https://github.com/w3c/mediacapture-main/issues/322 using your GitHub 
account

Received on Tuesday, 8 March 2016 04:58:25 UTC