[w3c/permissions] Provide guidelines or heuristics to prevent fingerprinting in case permission is denied (Issue #361) from youennf on 2022-02-09 (public-webapps-github@w3.org from February 2022)

From: youennf <notifications@github.com>
Date: Wed, 09 Feb 2022 09:32:37 -0800
To: w3c/permissions <permissions@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/permissions/issues/361@github.com>

https://w3c.github.io/permissions/#privacy-considerations discusses privacy concerns.

One case that is of concern is if the user is not trusting the website and is permanently denying the permission.
This could be used as a permanent fingerprint that is more difficult to clean up than other website data like cookies.

One potential countermeasure is that Permissions API would only expose the denied state after the web site actually tries to call the API requesting access.

For instance, a web page is loaded on a site where camera is denied permanently:
- page calls Permissions API and 'prompt' is returned instead of the actual 'denied' state.
- page calls getUserMedia, no prompt is shown, NotAllowedError is returned.
- page calls Permissions API and now understands that permission is permanently denied. Page provide guidelines to user in case user wants to change the persistent setting.

Thoughts?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/permissions/issues/361
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/permissions/issues/361@github.com>

Received on Wednesday, 9 February 2022 17:32:49 UTC