Re: [mediacapture-main] Stop recommending UUID for deviceId/groupId (#682)

> If you are incrementing integers and try to persist them so that they can be used by web pages across navigations, these integers will end up becoming a tracker for those users that use non built-in camera/microphone devices.

I agree with @youennf here. E.g. everything may look benign at first:

Your USB camera, mic & speaker ids may be `0`, `1` and `2`. Your bluetooth headset `3` and `4`.

Cut to 6 months later: Think of every device you've plugged into your system since then, even for a brief moment: conference room external speakers, a friend's camera, bluetooth headset of every family member. The "new id" counter may now be much higher.

Say you purchase a new USB camera, mic, and external speaker after trying a couple in a store, and you got a new bluetooth headset a couple of months ago. Their ids may now be `34`, `35`,  `42`, `14`, `15`. These bits may now help correlate you across origins you visit, because they'll be the same across all origins you visit (even in first-party pages, no iframes needed). They may not be enough to identify you uniquely, but along with other bits they might.

We should weigh that risk against today's origin-unique id, which is not correlatable in first party pages, and prevented from showing up in iframes by default, or may have its iframe storage partitioned in the near future (along with equally damaging JS-created ids in local storage).

GitHub Notification of comment by jan-ivar
Please view or discuss this issue at using your GitHub account

Received on Thursday, 16 April 2020 20:34:49 UTC