Fwd: privacy of delegating-or-not CSS media queries to embedded frames

Just a belated follow-up from a PING call discussion in July; I've
sent this question on to the CSS WG mailing list.
Cheers,
Nick

---------- Forwarded message ---------
From: Nick Doty <ndoty@cdt.org>
Date: Tue, Sep 17, 2024 at 2:34 PM
Subject: privacy of delegating-or-not CSS media queries to embedded frames
To: <www-style@w3.org>


Hello CSS friends,

The Privacy Interest Group recently [0] discussed the Device Posture
API, which raised some questions about the privacy impact of media
queries and, more specifically, whether media query functionality
should be delegated or qualified in some way to indicate whether a
particular embedded frame (or embedded frames generally) should have
access to the values of a particular media query.

The particular use case where this came up was that a top-level site
might want to know when or whether the device has been folded: this
has some privacy impact in potentially letting multiple origins try to
correlate whether visitors are actually the same user by correlating
when a device environment changes on embedded frames in multiple
origins. (This is sometimes called ephemeral fingerprinting, although
it's a pretty distinctly different technique from what we typically
call browser fingerprinting.) While the functionality might be
important for a top-level site, it might not be important or desirable
to communicate to every embedded frame. In thinking about the
possibility of fenced frames, for example, or the use of permissions
policy to delegate particular functionality to iframes (or exclude
functionality from certain iframes), the Web platform sometimes
indicates that a capability shouldn't be available to a frame.

That was a lot of set-up. The question for the CSS WG is: does CSS
have some way, or would you be interested in standardizing some way,
to indicate whether media query values (or perhaps other CSS
functionalities) should be available to frames or to a particular
frame? There might be a privacy/interoperability benefit in aligning
permissions that are delegated-or-not to frames with CSS
functionality. There could be an opportunity to improve the privacy of
media queries or CSS generally and also to mitigate privacy risks when
adding new capabilities looking forward.

This is my brief summary as co-chair of a discussion in July; it's
likely imperfect. Questions or discussion would be welcome, on email,
github or at TPAC.

Cheers,
Nick, for PING folks

[0] Okay, it was actually a couple months ago and I got behind on
sending this follow-up to you all. Minutes here:
https://www.w3.org/Privacy/IG/summaries/PING-minutes-20240718#b-device-posture-api---httpsgithubcomw3cpingprivacy-requestissues136-pete

--
Nick Doty | https://npdoty.name
Senior Technologist
Center for Democracy & Technology | https://cdt.org

Received on Tuesday, 17 September 2024 18:36:01 UTC