Re: [w3c/manifest] Privacy Review: handle start_url tracking (#399) from Aaron Gustafson on 2019-05-03 (public-webapps-github@w3.org from May 2019)

From: Aaron Gustafson <notifications@github.com>
Date: Fri, 03 May 2019 12:01:35 -0700
To: w3c/manifest <manifest@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/manifest/issues/399/489205097@github.com>

> I agree that there is a possibility for a browser to classify and treat a start_url as a tracker, but I don't feel this raises to the level of a super cookie. So, I'm not saying we shouldn't do anything here - but I don't think it's a dire situation.

We finished our crawl and I have data, @lknik. We crawled 65k+ URLs and collected 27k+ manifest files. Of those, < 2.5k included a query string in the manifest. I did a manual run-through of that list and to my eyes every instance was tracking the source for analytics purposes (e.g., `utm_source=homescreen` or similar). This is not to say that this isn’t a potential abuse vector (it is every bit as much as bookmarks are), but this does not appear to be an issue currently.

Here is the data as CSV if you’re interested: https://drive.google.com/file/d/1xM5781ufP7kwB_kX6tGzQ-cd71ubnm4U/view?usp=sharing

Perhaps we can find some way to strike a balance between useful analytics tracking and privacy-violation? I had considered the possibility of disallowing manifests to be requested (or installed) with a query string (thereby disallowing dynamic manifest generation which would likely be a common implementation for tracking), but there are valid reasons you might want/need that. Here are two off the top of my head:

1. It’s currently one of the only ways to offer dynamic language support within a manifest and
2. SaaS apps can use it to customize the app icon and other features per tenant.

I’m not sure what the right answer is here, but it seems we do have some time to continue to consider different options.

Another complication (which I don’t remember being discussed above) is that some implementations of installed PWAs share data (cookies, cache, etc.) between PWA instances and the browser that installed them. Windows Store-installed PWAs are sandboxed, but I think every Chromium-based browser—at least currently—has a shared data pool. Would clearing all temporary and persistent data from *their browser* when they uninstall/reset an "app" be what users would/should expect? It seems if we go that route, we would need to include some strong language to implementors that they need to make users aware of such implications.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/399#issuecomment-489205097

Received on Friday, 3 May 2019 19:01:57 UTC