[webrtc-stats] Fullscreen shouldn't be enough to reveal fingerprinting-surface (#712) from pes10k via GitHub on 2022-11-30 (public-webrtc-logs@w3.org from November 2022)

From: pes10k via GitHub <sysbot+gh@w3.org>
Date: Wed, 30 Nov 2022 22:50:37 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issues.opened-1470322091-1669848636-sysbot+gh@w3.org>

pes10k has just created a new issue for https://github.com/w3c/webrtc-stats:

== Fullscreen shouldn't be enough to reveal fingerprinting-surface ==
Currently the spec has two gates to exposing high-resolution / high-granularity fingerprinting surface [capturing or fullscreen](https://w3c.github.io/webrtc-stats/#limiting-exposure-of-hardware-capabilities).

Capturing seems like an appropriate guard since the user has already likely gone through some browser UI flow, and indicated a pretty high level of trust with the site.

Having a `fullscreenElement` though doesn't indicate any such level of trust, and is not a sufficient guard against fingerprinting.  This is especially true since the element that has fullscreen might be only loosely related to the page itself, and might not indicate any level of trust with any frame on the document (think, for example, a clickbate site hosting a youtube video, or any other `<video>`, etc).

Further, many (most?) fullscreen elements have nothing to do with WebRTC

I suggest the spec remove the `fullscreenElement` option in the guard (i.e. remove bullet 2 from [Section 6.1.](https://w3c.github.io/webrtc-stats/#limiting-exposure-of-hardware-capabilities))

Please view or discuss this issue at https://github.com/w3c/webrtc-stats/issues/712 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 30 November 2022 22:50:39 UTC