- From: Ian Clelland <notifications@github.com>
- Date: Tue, 19 Dec 2023 06:51:06 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/909/1862907621@github.com>
Sorry, that notification got lost in my inbox -- thank goodness for end-of-year cleanup time :) 1. I don't know of any unintended consequences; the intended consequences are that the site owner can tell if a script on their page is attempting to use an API that was blocked by policy (note that this is not the same thing as being blocked by the user denying permission; in the enforcing mode, the user will never even have been prompted, as the feature was already being blocked by policy.) The policy is set by the structure of the web site, through headers, and the `allow` attribute on iframes, which would not be useful for fingerprinting a particular browser or user. The fact that reporting is available at all *does* provide a very coarse fingerprinting signal, but it is equivalent to knowing the model+version of the browser itself. This is the same as using any other feature-detection to deduce the browser version. 2. The reports can be sent to a third party, at the site owner's discretion. Third-party reports have a few additional restrictions (the receiving server must support CORS, and the reports will not include any credentials; see https://w3c.github.io/reporting/#try-delivery) 3. I'll add that to the explainer, thanks! -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/909#issuecomment-1862907621 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/909/1862907621@github.com>
Received on Tuesday, 19 December 2023 14:51:12 UTC