- From: Joseph Lorenzo Hall <joe@cdt.org>
- Date: Wed, 10 Dec 2014 10:06:29 -0500
- To: chaals@yandex-team.ru, W3C Privacy IG <public-privacy@w3.org>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 12/9/14, 9:45 PM, chaals@yandex-team.ru wrote: > The concern is that this enables fingerprinting, or determining something about what systems (especially extensions and assistive technology) the user has installed, which in turn exposes personal information about the user. > > Is this a real problem we should consider? Sounds like how a browser will make this decision is a UA-land issue, yes? (i.e., unspecified by whatever part of the HTML spec that establishes accesskey) It does seem like it would allow a site to potentially gain more information about the user and their computing environment than available through other sources already. The most narrow case seems to be on platforms like Mac OS or Linux that allow the user to configure somewhat arbitrary keyboard shortcuts (if you know a certain user or group of users reserve a specific keyboard shortcut, you can segment (divide into buckets) those users by suggesting that shortcut in accesskey and then reading the DOM to see if the browser chose a different one.) I'm wondering if there isn't a solution like an origin-specific "allow access to information about the keyboard and keyboard shortcuts" that the spec could recommend browser vendors implement here to mitigate this increased fingerprinting risk. HTML WG's scope may preclude making statements like that, I suspect. best, Joe - -- Joseph Lorenzo Hall Chief Technologist Center for Democracy & Technology 1634 I ST NW STE 1100 Washington DC 20006-4011 (p) 202-407-8825 (f) 202-637-0968 joe@cdt.org PGP: https://josephhall.org/gpg-key fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Darwin) iQIcBAEBCAAGBQJUiGF1AAoJEF+GaYdAqahxJucP/ieJjGb043qDF42xUHJnpwtQ 17zDSak6EQvFYLTYfp5c+mVPgh4aSmoDhc+m2r9leajxCsk/kzJsBheHKotgD2Fw xF4baq5jDyrRp8qsJn9MH9O4GTdUo0suXSyJfFW1p6qqbHnE7MNFHUqDURg9jj8e s91kIDqN06pqBupW2xZZteNwD4VmRaMkCMe+KuK8G3CWa3NA2ZefEA5Rfl53d1ND RIbGJI2GG38a4d2dA+nrPVpQe+jqqA1PLhwQJbgI/l1eTxIMOtK/nXhA9VZTu+il usNkXi0xDl9zxaeIc6KtOFPQEN01hLHNoq7SIdKN1o0KuW5yLYtY9vgo4NAelhgg CeUXLRitf3sT8tnaDAHuSaNAAfXTYP9oYy6EXTffKNE/vKXOatYLeP+75puBwjN6 0N1p4eFROEjtk1/plaDgoXS+2CFrLQHiYzt25PO9B4QdPP2t/gAoHzkY8/Uy9xrw ClidN9yJ6nbl4O+/0sFVY6oY8qFmoU/Pu0QsuPbgFQpj+U1sVOGo6VxBV9VDPv7g 3/3MTa/u/3L2i7ZPgTN1TlZZx7rhUKp6I3MbHaC570apyPYmF66RmGzvTE4ewRyq i7q/CTS0w1H860kggLv2wpsDiguDYieKyg/zlnwKxHK2CYYxt7ZNvi7/cXFCvqaZ UqXid2aCW6p5+rb2hOwX =PAdc -----END PGP SIGNATURE-----
Received on Wednesday, 10 December 2014 15:07:05 UTC