- From: innotommy <notifications@github.com>
- Date: Wed, 03 Dec 2025 05:19:40 -0800
- To: w3c/screen-orientation <screen-orientation@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/screen-orientation/issues/277@github.com>
innotommy created an issue (w3c/screen-orientation#277) I am opening this issue as a result of the security review: https://github.com/w3c/security-request/issues/101#issuecomment-3573604811 ## Problem Current anti-fingerprinting mitigations use **SHOULD**, permitting wide variation across UAs. Divergence itself becomes a fingerprinting vector. Attackers can infer: - browser brand / version - platform type - hinge / posture characteristics - rotation-lock state - multi-screen configuration ## Why This Matters Optional mitigations lead to: - increased entropy - predictable cross-browser variation - detectable platform quirks ## Requested Normative Change Upgrade mitigations to **MUST**. Example: > User agents MUST NOT expose platform rotation-lock state, hinge/posture characteristics, secondary-screen details, or device-class distinctions through differences in supported `OrientationLockType` or observable behavior, except where required for accessibility or essential functionality. Additional harmonization: - Normalize event‑dispatch timing to avoid detectable quirks - Standardize fallback behavior for unsupported lock types - Ensure lock‑type support does not vary with OS state ## Expected Benefits - Reduced fingerprinting risk - More predictable developer experience - Aligns with modern Web privacy practices -- Reply to this email directly or view it on GitHub: https://github.com/w3c/screen-orientation/issues/277 You are receiving this because you are subscribed to this thread. Message ID: <w3c/screen-orientation/issues/277@github.com>
Received on Wednesday, 3 December 2025 13:19:44 UTC