- From: Florian Bösch <pyalot@gmail.com>
- Date: Thu, 31 Jan 2013 13:00:48 +0100
- To: Hallvord Reiar Michaelsen Steen <hallvord@opera.com>
- Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, www-dom@w3.org
Received on Thursday, 31 January 2013 12:01:16 UTC
On Thu, Jan 31, 2013 at 12:54 PM, Hallvord Reiar Michaelsen Steen < hallvord@opera.com> wrote: > Well yes, implicitly you did. If a random website can figure out where > keys are on your keyboard (i.e. what layout you are using) it is an extra > data point for fingerprinting / tracking users. So Björn has a good point: > for privacy reasons, access to this API should probably be limited to > sites/apps that are trusted or privileged in some way. > I strongly disagree with that we should sacrifice accessability and i18n on the altar of fingerprinting concerns. There are situations when that may be necessary, I don't think this is one of them. The HTTP header "accept-language" defined by HTTP 1.1 section 1.4.4 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html already provides the users locale. A users locale has a strong correlation to a users keyboard layout. If the intent is to avoid adding identifyable bits by preventing locale sniffing that train is gone with accept-language. The additional keyboard layout information is mostly superfluous for fingerprinting. However without some way to query the layout for a users key symbol, usability of shortcut mapping dialogs is extremely crippled.
Received on Thursday, 31 January 2013 12:01:16 UTC