Re: [mediacapture-main] fixed, per origin, device ID creates tracking risk (#607)

> We might be saying the same thing here, but my point is that "if double keying isn't standardized somewhere else" (as it currently isn't) then it needs to be specified here, even if that text ends up being made redundant by future work.

I'm saying the opposite: if double keying of both cookies and localStorage isn't standardized—which I doubt will ever happen, as it would break lots of stuff—then double-keying deviceIds seems futile. E.g.:
if (!localStorage.fingerprint) {
  localStorage.fingerprint = await navigator.mediaDevices.enumerateDevices();
My take on mediacapture's *"treat ... deviceId as ... cookies ... are treated."* is we're trying to avoid creating a new class of problems. I.e. whatever makes sense for cookies makes sense for deviceIds. If a browser clears or expires cookies after 7 days, then do the same for deviceIds. If third-party cookies are blocked, then block persisting third-party deviceIds.

> So my goal / concern in this issue is to make sure getUserMedia doesn't make that work more difficult / nullified.

If browsers treat deviceIds like cookies then it won't.

If there's any language in the spec that contradicts this, I'd support removing it. If there's prose we can add to normatively enforce it, I'm for adding it.

GitHub Notification of comment by jan-ivar
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 24 July 2019 22:57:03 UTC