- From: Lukasz Olejnik <notifications@github.com>
- Date: Wed, 10 Apr 2019 14:03:40 +0000 (UTC)
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 10 April 2019 14:04:09 UTC
> It's possible the recommendation could be that UAs strip any query string (or fragment identifier) from the URL when launching, but there are likely legit, non-privacy-invasive uses for these as well (e.g., language preference). I made a [study](https://blog.lukaszolejnik.com/tracking-users-with-rogue-progressive-web-applications/) and indeed most use of parameters are legit: - 1672 pages include a manifest.json - 828 use a dedicated start_url - 274 use parameters - None appear to use randomly generated identifiers > > I guess my question would be whether this particular potential abuse vector—a dynamic `start_url`—creates a unique opportunity to gain information about a particular user that cookies, localStorage, indexed DB, and the cache API—many of which PWAs are already likely to use—don't already provide. The points I [raise](https://blog.lukaszolejnik.com/tracking-users-with-rogue-progressive-web-applications/) are mostly: there is no way to manage these identifiers, the use of them is not transparent, and they allow respawning others (i.e. if user removes cookies, they can be brought to life). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/399#issuecomment-481704532
Received on Wednesday, 10 April 2019 14:04:09 UTC