Re: [w3c/gamepad] are timestamps a potential tracking/fingerprinting vector? (#74)

AIUI, the gamepad is not really associated with a window or an element, but rather with the entire display/desktop.  The gamepad differs from keyboard/mouse in that it doesn't change (or respect) the focused element (see Reilly's pop-up example).

Given that, I think that it makes sense for the gamepad api to be available to the current tab in all visible windows. But it should not be available to tabs/elements/windows that are not visible or in the background.

In any case, I'm having trouble convincing myself that there's a big fingerprinting concern. If I understand correctly, the attack requires that the user:

* Open multiple window from same (or related origin)
* Interact with both of these windows with the gamepad API

And then the attack gets the delta between these 2 windows' session creation time. It doesn't seem like this allows tracking across user sessions since this delta will differ.

For fingerprinting, I'm more worried about the "drive-by" web where the user doesn't interact with the page and doesn't have any indications that something's going on. In this case, the user has to interact and the site has to either trick the user into opening 2 windows, or popup secondary windows. So this doesn't seem to rise to the level where we need to jump through hoops to avoid.

**More concerning is that I didn't see a place in the spec where the API was restricted to something like the top-level browsing context of currently visible windows.** Having this API available to hidden or background tabs is more of a fingerprinting/privacy concern to me than the multiple window attack scenario.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/gamepad/issues/74#issuecomment-433413578

Received on Friday, 26 October 2018 13:48:12 UTC