[w3c/screen-orientation] Fingerprinting risk: users that configure their device to not permit screen locking (Issue #260) from bvandersloot-mozilla on 2025-09-22 (public-webapps-github@w3.org from September 2025)

From: bvandersloot-mozilla <notifications@github.com>
Date: Mon, 22 Sep 2025 13:04:46 -0700
To: w3c/screen-orientation <screen-orientation@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/screen-orientation/issues/260@github.com>

bvandersloot-mozilla created an issue (w3c/screen-orientation#260)

Reviewer from Privacy WG here 👋

When [applying an orientation lock](https://www.w3.org/TR/screen-orientation/#applying-an-orientation-lock) in step 5.4, "if the attempt fails due to previously-established user preference, or platform limitation, or any other reason: [...] [reject and nullify the current lock promise](https://www.w3.org/TR/screen-orientation/#dfn-reject-and-nullify-the-current-lock-promise) of document with a "[NotSupportedError](https://webidl.spec.whatwg.org/#notsupportederror)".". This leaves the user configuration potentially fingerprintble. This may be the correct behavior, but it would be nice to include a fingerprinting risk in the note associated with the step.

It also may be mitigated significantly by making the suggestion in Section 9 mandatory behavior: "A user agent SHOULD restrict the use of [lock](https://www.w3.org/TR/screen-orientation/#dom-screenorientation-lock)() to simple fullscreen documents as a [pre-lock condition](https://www.w3.org/TR/screen-orientation/#dfn-pre-lock-conditions). [[fullscreen](https://www.w3.org/TR/screen-orientation/#bib-fullscreen)]". Does anything prevent this from being MUST?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/screen-orientation/issues/260
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/screen-orientation/issues/260@github.com>

Received on Monday, 22 September 2025 20:04:50 UTC