Re: [w3c/permissions] Provide guidelines or heuristics to prevent fingerprinting in case permission is denied (Issue #361) from youennf on 2022-03-07 (public-webapps-github@w3.org from March 2022)

From: youennf <notifications@github.com>
Date: Mon, 07 Mar 2022 08:10:31 -0800
To: w3c/permissions <permissions@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/permissions/issues/361/1060859901@github.com>

> How do you envision this set of denied permissions being used to discover that 2 visits on different top-level sites come from the same person?

One possibility is for the two web sites to go to the same origin C and then navigate to the actual page (say when both pages are in the background).
While clearing C cookies/website data regularly is usually good enough, permissions are more difficult to clear (they are more visible to users) and tend to be more persistent as well.

> I think denied state should always ge exposed by default.

Can you detail potential downsides?
For instance,  can you describe how the above heuristic would break well-behaving applications?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/permissions/issues/361#issuecomment-1060859901
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/permissions/issues/361/1060859901@github.com>

Received on Monday, 7 March 2022 16:10:43 UTC