- From: Maciej Stachowiak <notifications@github.com>
- Date: Fri, 20 Sep 2019 10:22:05 -0700
- To: w3c/manifest <manifest@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/manifest/issues/399/533640639@github.com>
`start_url` is a potential tracking vector whether or not it contains a query string. It should at least be mentioned in Privacy Considerations if it isn't already. It is distinct from bookmarks, because there's an easy opportunity to create a unique ID each time `manifest.json` is requested. To achieve the same for bookmarks would require redirects to ensure the user ID is visibly present in every URL on the site. It's much easier for a problem like that to be noticed by at least some thoughtful users and to be raised to public awareness. There are possible mitigations other than entirely removing `start_url`. For example, `manifest.json` could be fetched on a caching proxy server to prevent stuffing a unique ID in it. (This specific solution creates a new privacy risk that the proxy operator could see the user's browsing; there are likely privacy-preserving solutions to this using crypto or bucketing, similar to the way safe browsing databases work.) I think this problem should be taken seriously. Tracking via URL parameters is an increasingly common technique on the web in general, to the point that [WebKit deployed active mitigations for it](https://webkit.org/blog/8828/intelligent-tracking-prevention-2-2/). If this technique hasn't made it to PWAs yet, that is only good fortune, not a trait to be relied on. Further, just because there are valid use cases for `start_url` does not mean that the privacy issues should be ignored. After all, cookies have valid uses cases too. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/manifest/issues/399#issuecomment-533640639
Received on Friday, 20 September 2019 17:22:27 UTC