Re: [w3c/manifest] Privacy Review: handle start_url tracking (#399) from Marcos Cáceres on 2019-04-11 (public-webapps-github@w3.org from April 2019)

From: Marcos Cáceres <notifications@github.com>
Date: Wed, 10 Apr 2019 18:26:20 -0700
To: w3c/manifest <manifest@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/manifest/issues/399/481930136@github.com>

> To build on @dominickng's suggestion, I think one option is to explicitly consider the start_url to be like any other local state.

Depends on a few things: 

 1. if the browser creates a shortcut on the desktop or whatever, then the browser might no longer be in control of the short cut (e.g., the user moves the shortcut to another folder). 
 1. The case of adding to home screen is akin to bookmarking: basically when you bookmark something, a user may be inevitably capturing their own unique identifier (e.g., "https://example.com/article?userid=123")... I know, this is a "what-about-ism", but it holds because most of us have these kinds of bookmarks in our browsers. 

> We know from our experience with evercookies that all local state needs to be cleared simultaneously in order to provide the user anything like what they're trying to ask for. 

I agree - but this is different from a malicious supercookie (e.g., HTST). There is explicit opt-in to install a web application, and it includes the possibility to inspect the URL. Granted, examining the URL is useless for 99% of people. The mitigation strategy is really to just delete the shortcut to the PWA. 

> That would suggest that when you "clear local state" on an "installed" web app, that you re-load the app entirely. 

Generally yes, I agree - and the data purge should be supported... however, going back to the supercookie attack, I don't see how it helps when the start URL is: "http://example.com?user=123"... you can just restore user123's cookies/state from the server when they open the app. 

> Alternatively, we could tell sites that they shouldn't use manifest data that is customized to the user in any way,

We can amend: 
https://www.w3.org/TR/appmanifest/#privacy-consideration-start_url-tracking

> and start work on the challenging problem of automatically identifying sites that are customizing start_url (or perhaps other parameters) and reporting them / blocking them so that users can be warned.

Sure. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/399#issuecomment-481930136

Received on Thursday, 11 April 2019 01:26:42 UTC