[html5] r7205 - [e] (0) Mark features that can be used for fingerprinting. I'm sure I missed som [...]
whatwg at whatwg.org
whatwg at whatwg.org
Wed Jul 25 23:53:49 PDT 2012
Author: ianh
Date: 2012-07-25 23:53:46 -0700 (Wed, 25 Jul 2012)
New Revision: 7205
Modified:
complete.html
index
source
Log:
[e] (0) Mark features that can be used for fingerprinting. I'm sure I missed some, please don't hesitate to point them out to me. Even if they only contribute half a bit of data.
Affected topics: Canvas, DOM APIs, HTML, Web Storage
Modified: complete.html
===================================================================
--- complete.html 2012-07-26 05:50:45 UTC (rev 7204)
+++ complete.html 2012-07-26 06:53:46 UTC (rev 7205)
@@ -110,6 +110,8 @@
[hidden] { display: none; }
</style><style type=text/css>
+ .fingerprint { float: right; }
+
.applies thead th > * { display: block; }
.applies thead code { display: block; }
.applies tbody th { whitespace: nowrap; }
@@ -294,16 +296,17 @@
<ol>
<li><a href=#how-to-read-this-specification><span class=secno>1.9.1 </span>How to read this specification</a></li>
<li><a href=#typographic-conventions><span class=secno>1.9.2 </span>Typographic conventions</a></ol></li>
- <li><a href=#a-quick-introduction-to-html><span class=secno>1.10 </span>A quick introduction to HTML</a>
+ <li><a href=#fingerprint><span class=secno>1.10 </span>Privacy concerns</a></li>
+ <li><a href=#a-quick-introduction-to-html><span class=secno>1.11 </span>A quick introduction to HTML</a>
<ol>
- <li><a href=#writing-secure-applications-with-html><span class=secno>1.10.1 </span>Writing secure applications with HTML</a></li>
- <li><a href=#common-pitfalls-to-avoid-when-using-the-scripting-apis><span class=secno>1.10.2 </span>Common pitfalls to avoid when using the scripting APIs</a></ol></li>
- <li><a href=#conformance-requirements-for-authors><span class=secno>1.11 </span>Conformance requirements for authors</a>
+ <li><a href=#writing-secure-applications-with-html><span class=secno>1.11.1 </span>Writing secure applications with HTML</a></li>
+ <li><a href=#common-pitfalls-to-avoid-when-using-the-scripting-apis><span class=secno>1.11.2 </span>Common pitfalls to avoid when using the scripting APIs</a></ol></li>
+ <li><a href=#conformance-requirements-for-authors><span class=secno>1.12 </span>Conformance requirements for authors</a>
<ol>
- <li><a href=#presentational-markup><span class=secno>1.11.1 </span>Presentational markup</a></li>
- <li><a href=#syntax-errors><span class=secno>1.11.2 </span>Syntax errors</a></li>
- <li><a href=#restrictions-on-content-models-and-on-attribute-values><span class=secno>1.11.3 </span>Restrictions on content models and on attribute values</a></ol></li>
- <li><a href=#recommended-reading><span class=secno>1.12 </span>Recommended reading</a></ol></li>
+ <li><a href=#presentational-markup><span class=secno>1.12.1 </span>Presentational markup</a></li>
+ <li><a href=#syntax-errors><span class=secno>1.12.2 </span>Syntax errors</a></li>
+ <li><a href=#restrictions-on-content-models-and-on-attribute-values><span class=secno>1.12.3 </span>Restrictions on content models and on attribute values</a></ol></li>
+ <li><a href=#recommended-reading><span class=secno>1.13 </span>Recommended reading</a></ol></li>
<li><a href=#infrastructure><span class=secno>2 </span>Common infrastructure</a>
<ol>
<li><a href=#terminology><span class=secno>2.1 </span>Terminology</a>
@@ -2059,9 +2062,91 @@
<p class=impl>This is an implementation requirement.</p>
+ <h3 id=fingerprint><span class=secno>1.10 </span>Privacy concerns</h3>
- <h3 id=a-quick-introduction-to-html><span class=secno>1.10 </span>A quick introduction to HTML</h3>
+ <p><i>This section is non-normative.</i></p>
+ <p>Some features of HTML trade user convenience for a measure of
+ user privacy.</p>
+
+ <p>In general, due to the Internet's architecture, a user can be
+ distinguished from another by the user's IP address. IP addresses do
+ not perfectly match to a user; as a user moves from device to
+ device, or from network to network, their IP address will change;
+ similarly, NAT routing, proxy servers, and shared computers enable
+ packets that appear to all come from a single IP address to actually
+ map to multiple users. Technologies such as onion routing can be
+ used to further anonymize requests so that requests from a single
+ user at one node on the Internet appear to come from many disparate
+ parts of the network.</p>
+
+ <p>However, the IP address used for a user's requests is not the
+ only mechanism by which a user's requests could be related to each
+ other. Cookies, for example, are designed specifically to enable
+ this, and are the basis of most of the Web's session features that
+ enable you to log into a site with which you have an account.</p>
+
+ <p>There are other mechanisms that are more subtle. Certain
+ characteristics of a user's system can be used to distinguish groups
+ of users from each other; by collecting enough such information, an
+ individual user's browser's "digital fingerprint" can be computed,
+ which can be as good, if not better, as an IP address in
+ ascertaining which requests are from the same user.</p>
+
+ <p>Grouping requests in this manner, especially across multiple
+ sites, can be used for both benign (and even arguably positive)
+ purposes, as well as for malevolent purposes. An example of a
+ reasonably benign purpose would be determining whether a particular
+ person seems to prefer sites with dog illustrations as opposed to
+ sites with cat illstrations (based on how often they visit the sites
+ in question) and then automatically using the preferred
+ illustrations on subsequent visits to participating sites.
+ Malevolent purposes, however, could include governments combining
+ information such as the person's home address (determined from the
+ addresses they use when getting driving directions on one site) with
+ their apparent political affiliations (determined by examining the
+ forum sites that they participate in) to determine whether the
+ person should be prevented from voting in an election.</p>
+
+ <p>Since the malevolent purposes can be remarkably evil, user agent
+ implementors are encouraged to consider how to provide their users
+ with tools to minimise leaking information that could be used to
+ fingerprint a user.</p>
+
+ <p>Unfortunately, as the first paragraph in this section implies,
+ sometimes there is great benefit to be derived from exposing the
+ very information that can also be used for fingerprinting purposes,
+ so it's not as easy as simply blocking all possible leaks. For
+ instance, the ability to log into a site to post under a specific
+ identity requires that the user's requests be identifiable as all
+ being from the same user, more or less by definition. More subtly,
+ though, information such as how wide text is, which is necessary for
+ many effects that involve drawing text onto a canvas (e.g. any
+ effect that involves drawing a border around the text) also leaks
+ information that can be used to group a user's requests. (In this
+ case, by potentially exposing, via a brute force search, which fonts
+ a user has installed, information which can vary considerably from
+ user to user.)</p>
+
+ <p>Features in this specification which can be used to fingerprint
+ the user are marked as this paragraph is.
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
+
+ <p>Other features in the platform can be used for the same purpose,
+ though, including, though not limited to:</p>
+
+ <ul><li>The exact list of which features a user agents supports.</li>
+
+ <li>The maximum allowed stack depth for recursion in script.</li>
+
+ <li>Features that describe the user's environment, like Media
+ Queries and the <code><a href=#screen>Screen</a></code> object. <a href=#refsMQ>[MQ]</a> <a href=#refsCSSOMVIEW>[CSSOMVIEW]</a></li>
+
+ <li>The user's time zone.</li>
+
+ </ul><h3 id=a-quick-introduction-to-html><span class=secno>1.11 </span>A quick introduction to HTML</h3>
+
<p><i>This section is non-normative.</i></p>
<p>A basic HTML document looks like this:</p>
@@ -2211,7 +2296,7 @@
understand at first.</p>
<!--ADD-TOPIC:Security-->
- <h4 id=writing-secure-applications-with-html><span class=secno>1.10.1 </span>Writing secure applications with HTML</h4>
+ <h4 id=writing-secure-applications-with-html><span class=secno>1.11.1 </span>Writing secure applications with HTML</h4>
<p><i>This section is non-normative.</i></p>
@@ -2354,7 +2439,7 @@
</dd>
- </dl><!--REMOVE-TOPIC:Security--><h4 id=common-pitfalls-to-avoid-when-using-the-scripting-apis><span class=secno>1.10.2 </span>Common pitfalls to avoid when using the scripting APIs</h4>
+ </dl><!--REMOVE-TOPIC:Security--><h4 id=common-pitfalls-to-avoid-when-using-the-scripting-apis><span class=secno>1.11.2 </span>Common pitfalls to avoid when using the scripting APIs</h4>
<p><i>This section is non-normative.</i></p>
@@ -2417,7 +2502,7 @@
- <h3 id=conformance-requirements-for-authors><span class=secno>1.11 </span>Conformance requirements for authors</h3>
+ <h3 id=conformance-requirements-for-authors><span class=secno>1.12 </span>Conformance requirements for authors</h3>
<p><i>This section is non-normative.</i></p>
@@ -2437,7 +2522,7 @@
document and one with errors.</p>
- <h4 id=presentational-markup><span class=secno>1.11.1 </span>Presentational markup</h4>
+ <h4 id=presentational-markup><span class=secno>1.12.1 </span>Presentational markup</h4>
<p><i>This section is non-normative.</i></p>
@@ -2512,7 +2597,7 @@
<code><a href=#the-s-element>s</a></code>, <code><a href=#the-small-element>small</a></code>, and <code><a href=#the-u-element>u</a></code>.</p>
- <h4 id=syntax-errors><span class=secno>1.11.2 </span>Syntax errors</h4>
+ <h4 id=syntax-errors><span class=secno>1.12.2 </span>Syntax errors</h4>
<p><i>This section is non-normative.</i></p>
@@ -2773,7 +2858,7 @@
- <h4 id=restrictions-on-content-models-and-on-attribute-values><span class=secno>1.11.3 </span>Restrictions on content models and on attribute values</h4>
+ <h4 id=restrictions-on-content-models-and-on-attribute-values><span class=secno>1.12.3 </span>Restrictions on content models and on attribute values</h4>
<p><i>This section is non-normative.</i></p>
@@ -3017,7 +3102,7 @@
</dd>
- </dl><h3 id=recommended-reading><span class=secno>1.12 </span>Recommended reading</h3>
+ </dl><h3 id=recommended-reading><span class=secno>1.13 </span>Recommended reading</h3>
<p><i>This section is non-normative.</i></p>
@@ -8236,7 +8321,9 @@
<li><p>Take ownership of the <a href=#storage-mutex>storage mutex</a>.</li>
- <li><p>Update the cookies. <a href=#refsCOOKIES>[COOKIES]</a></li>
+ <li><p>Update the cookies. <a href=#refsCOOKIES>[COOKIES]</a>
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </li>
<li><p>Release the <a href=#storage-mutex>storage mutex</a> so that it is once
again free.</li>
@@ -10078,8 +10165,8 @@
</dl><div class=impl>
<p>The <dfn id=dom-document-cookie title=dom-document-cookie><code>cookie</code></dfn>
- attribute represents the cookies of the resource from which the
- <code><a href=#document>Document</a></code> was created.</p>
+ attribute represents the cookies of the resource identified by
+ <a href="#the-document's-address">the document's address</a>.</p>
<p>A <code><a href=#document>Document</a></code> object that falls into one of the
following conditions is a <dfn id=cookie-averse-document-object>cookie-averse <code>Document</code>
@@ -10103,7 +10190,9 @@
first <a href=#obtain-the-storage-mutex>obtain the storage mutex</a> and then return the
cookie-string for <a href="#the-document's-address">the document's address</a> for a
"non-HTTP" API, <a href=#decoded-as-utf-8,-with-error-handling>decoded as UTF-8, with error handling</a>.
- <a href=#refsCOOKIES>[COOKIES]</a></p>
+ <a href=#refsCOOKIES>[COOKIES]</a>
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
<p>On setting, if the document is a <a href=#cookie-averse-document-object>cookie-averse
<code>Document</code> object</a>, then the user agent must do
@@ -36057,7 +36146,7 @@
<p>All the bitmaps created during a single <a href=#concept-task title=concept-task>task</a> for canvases that use 2D contexts
must have the same resolution.
- <!--XXX 4INSERT FINGERPRINT-->
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
</p>
<pre class=idl>partial interface <a href=#screen>Screen</a> {
@@ -38786,7 +38875,9 @@
<code><a href=#securityerror>SecurityError</a></code> exception.
<!--REMOVE-TOPIC:Security-->
Otherwise, it must return the new <code><a href=#textmetrics>TextMetrics</a></code> object.
- <a href=#refsCSS>[CSS]</a></p>
+ <a href=#refsCSS>[CSS]</a>
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
</div>
@@ -49978,7 +50069,9 @@
element has a <code title=attr-input-value><a href=#attr-input-value>value</a></code> attribute,
the button's label must be the value of that attribute; otherwise,
it must be an implementation-defined string that means "Submit" or
- some such.</span> The element is a <a href=#concept-button title=concept-button>button</a>, specifically a <a href=#concept-submit-button title=concept-submit-button>submit button</a>.</p>
+ some such.</span> The element is a <a href=#concept-button title=concept-button>button</a>, specifically a <a href=#concept-submit-button title=concept-submit-button>submit button</a>.
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
<div class=impl>
@@ -50331,7 +50424,9 @@
element has a <code title=attr-input-value><a href=#attr-input-value>value</a></code> attribute,
the button's label must be the value of that attribute; otherwise,
it must be an implementation-defined string that means "Reset" or
- some such.</span> The element is a <a href=#concept-button title=concept-button>button</a>.</p>
+ some such.</span> The element is a <a href=#concept-button title=concept-button>button</a>.
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
<div class=impl>
@@ -72434,7 +72529,9 @@
<li>The user has not disabled scripting for this <a href=#browsing-context>browsing
context</a> at this time. (User agents may provide users with
the option to disable scripting globally, or in a finer-grained
- manner, e.g. on a per-origin basis.)</li>
+ manner, e.g. on a per-origin basis.)
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </li>
<li id=sandboxScriptBlocked>The <a href=#browsing-context>browsing context</a>'s
<a href=#active-document>active document</a>'s <a href=#active-sandboxing-flag-set>active sandboxing flag
@@ -75014,7 +75111,9 @@
to user can be used to profile the user. In fact, if enough such
information is available, a user can actually be uniquely
identified. For this reason, user agent implementors are strongly
- urged to include as little information in this API as possible.</p>
+ urged to include as little information in this API as possible.
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
</div>
@@ -75330,7 +75429,9 @@
closely describes the current state of the handler described by the
two arguments to the method, where the first argument gives the
scheme and the second gives the string used to build the
- <a href=#url>URL</a> of the page that will handle the requests.</p>
+ <a href=#url>URL</a> of the page that will handle the requests.
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
<p>The first argument must be compared to the schemes for which
custom protocol handlers are registered in an <a href=#ascii-case-insensitive>ASCII
@@ -75345,7 +75446,9 @@
closely describes the current state of the handler described by the
two arguments to the method, where the first argument gives the
<a href=#mime-type>MIME type</a> and the second gives the string used to build
- the <a href=#url>URL</a> of the page that will handle the requests.</p>
+ the <a href=#url>URL</a> of the page that will handle the requests.
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
<p>The first argument must be compared to the <a href=#mime-type title="MIME
type">MIME types</a> for which custom content handlers are
@@ -75717,7 +75820,9 @@
<a href=#url>URL</a> to an OpenSearch description document. <a href=#refsOPENSEARCH>[OPENSEARCH]</a></li>
</ol><p>The <dfn id=dom-external-issearchproviderinstalled title=dom-external-IsSearchProviderInstalled><code>IsSearchProviderInstalled()</code></dfn>
- method, when invoked, must run the following steps:</p>
+ method, when invoked, must run the following steps:
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
<ol><li><p>Optionally, return 0 and abort these steps. User agents may
implement the method as a stub method that never returns a
@@ -85042,7 +85147,9 @@
<p>The <dfn id=dom-localstorage title=dom-localStorage><code>localStorage</code></dfn>
object provides a <code><a href=#storage-0>Storage</a></code> object for an
- <a href=#origin>origin</a>.</p>
+ <a href=#origin>origin</a>.
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
<p>User agents must have a set of local storage areas, one for each
<a href=#origin>origin</a>.</p>
Modified: index
===================================================================
--- index 2012-07-26 05:50:45 UTC (rev 7204)
+++ index 2012-07-26 06:53:46 UTC (rev 7205)
@@ -110,6 +110,8 @@
[hidden] { display: none; }
</style><style type=text/css>
+ .fingerprint { float: right; }
+
.applies thead th > * { display: block; }
.applies thead code { display: block; }
.applies tbody th { whitespace: nowrap; }
@@ -294,16 +296,17 @@
<ol>
<li><a href=#how-to-read-this-specification><span class=secno>1.9.1 </span>How to read this specification</a></li>
<li><a href=#typographic-conventions><span class=secno>1.9.2 </span>Typographic conventions</a></ol></li>
- <li><a href=#a-quick-introduction-to-html><span class=secno>1.10 </span>A quick introduction to HTML</a>
+ <li><a href=#fingerprint><span class=secno>1.10 </span>Privacy concerns</a></li>
+ <li><a href=#a-quick-introduction-to-html><span class=secno>1.11 </span>A quick introduction to HTML</a>
<ol>
- <li><a href=#writing-secure-applications-with-html><span class=secno>1.10.1 </span>Writing secure applications with HTML</a></li>
- <li><a href=#common-pitfalls-to-avoid-when-using-the-scripting-apis><span class=secno>1.10.2 </span>Common pitfalls to avoid when using the scripting APIs</a></ol></li>
- <li><a href=#conformance-requirements-for-authors><span class=secno>1.11 </span>Conformance requirements for authors</a>
+ <li><a href=#writing-secure-applications-with-html><span class=secno>1.11.1 </span>Writing secure applications with HTML</a></li>
+ <li><a href=#common-pitfalls-to-avoid-when-using-the-scripting-apis><span class=secno>1.11.2 </span>Common pitfalls to avoid when using the scripting APIs</a></ol></li>
+ <li><a href=#conformance-requirements-for-authors><span class=secno>1.12 </span>Conformance requirements for authors</a>
<ol>
- <li><a href=#presentational-markup><span class=secno>1.11.1 </span>Presentational markup</a></li>
- <li><a href=#syntax-errors><span class=secno>1.11.2 </span>Syntax errors</a></li>
- <li><a href=#restrictions-on-content-models-and-on-attribute-values><span class=secno>1.11.3 </span>Restrictions on content models and on attribute values</a></ol></li>
- <li><a href=#recommended-reading><span class=secno>1.12 </span>Recommended reading</a></ol></li>
+ <li><a href=#presentational-markup><span class=secno>1.12.1 </span>Presentational markup</a></li>
+ <li><a href=#syntax-errors><span class=secno>1.12.2 </span>Syntax errors</a></li>
+ <li><a href=#restrictions-on-content-models-and-on-attribute-values><span class=secno>1.12.3 </span>Restrictions on content models and on attribute values</a></ol></li>
+ <li><a href=#recommended-reading><span class=secno>1.13 </span>Recommended reading</a></ol></li>
<li><a href=#infrastructure><span class=secno>2 </span>Common infrastructure</a>
<ol>
<li><a href=#terminology><span class=secno>2.1 </span>Terminology</a>
@@ -2059,9 +2062,91 @@
<p class=impl>This is an implementation requirement.</p>
+ <h3 id=fingerprint><span class=secno>1.10 </span>Privacy concerns</h3>
- <h3 id=a-quick-introduction-to-html><span class=secno>1.10 </span>A quick introduction to HTML</h3>
+ <p><i>This section is non-normative.</i></p>
+ <p>Some features of HTML trade user convenience for a measure of
+ user privacy.</p>
+
+ <p>In general, due to the Internet's architecture, a user can be
+ distinguished from another by the user's IP address. IP addresses do
+ not perfectly match to a user; as a user moves from device to
+ device, or from network to network, their IP address will change;
+ similarly, NAT routing, proxy servers, and shared computers enable
+ packets that appear to all come from a single IP address to actually
+ map to multiple users. Technologies such as onion routing can be
+ used to further anonymize requests so that requests from a single
+ user at one node on the Internet appear to come from many disparate
+ parts of the network.</p>
+
+ <p>However, the IP address used for a user's requests is not the
+ only mechanism by which a user's requests could be related to each
+ other. Cookies, for example, are designed specifically to enable
+ this, and are the basis of most of the Web's session features that
+ enable you to log into a site with which you have an account.</p>
+
+ <p>There are other mechanisms that are more subtle. Certain
+ characteristics of a user's system can be used to distinguish groups
+ of users from each other; by collecting enough such information, an
+ individual user's browser's "digital fingerprint" can be computed,
+ which can be as good, if not better, as an IP address in
+ ascertaining which requests are from the same user.</p>
+
+ <p>Grouping requests in this manner, especially across multiple
+ sites, can be used for both benign (and even arguably positive)
+ purposes, as well as for malevolent purposes. An example of a
+ reasonably benign purpose would be determining whether a particular
+ person seems to prefer sites with dog illustrations as opposed to
+ sites with cat illstrations (based on how often they visit the sites
+ in question) and then automatically using the preferred
+ illustrations on subsequent visits to participating sites.
+ Malevolent purposes, however, could include governments combining
+ information such as the person's home address (determined from the
+ addresses they use when getting driving directions on one site) with
+ their apparent political affiliations (determined by examining the
+ forum sites that they participate in) to determine whether the
+ person should be prevented from voting in an election.</p>
+
+ <p>Since the malevolent purposes can be remarkably evil, user agent
+ implementors are encouraged to consider how to provide their users
+ with tools to minimise leaking information that could be used to
+ fingerprint a user.</p>
+
+ <p>Unfortunately, as the first paragraph in this section implies,
+ sometimes there is great benefit to be derived from exposing the
+ very information that can also be used for fingerprinting purposes,
+ so it's not as easy as simply blocking all possible leaks. For
+ instance, the ability to log into a site to post under a specific
+ identity requires that the user's requests be identifiable as all
+ being from the same user, more or less by definition. More subtly,
+ though, information such as how wide text is, which is necessary for
+ many effects that involve drawing text onto a canvas (e.g. any
+ effect that involves drawing a border around the text) also leaks
+ information that can be used to group a user's requests. (In this
+ case, by potentially exposing, via a brute force search, which fonts
+ a user has installed, information which can vary considerably from
+ user to user.)</p>
+
+ <p>Features in this specification which can be used to fingerprint
+ the user are marked as this paragraph is.
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
+
+ <p>Other features in the platform can be used for the same purpose,
+ though, including, though not limited to:</p>
+
+ <ul><li>The exact list of which features a user agents supports.</li>
+
+ <li>The maximum allowed stack depth for recursion in script.</li>
+
+ <li>Features that describe the user's environment, like Media
+ Queries and the <code><a href=#screen>Screen</a></code> object. <a href=#refsMQ>[MQ]</a> <a href=#refsCSSOMVIEW>[CSSOMVIEW]</a></li>
+
+ <li>The user's time zone.</li>
+
+ </ul><h3 id=a-quick-introduction-to-html><span class=secno>1.11 </span>A quick introduction to HTML</h3>
+
<p><i>This section is non-normative.</i></p>
<p>A basic HTML document looks like this:</p>
@@ -2211,7 +2296,7 @@
understand at first.</p>
<!--ADD-TOPIC:Security-->
- <h4 id=writing-secure-applications-with-html><span class=secno>1.10.1 </span>Writing secure applications with HTML</h4>
+ <h4 id=writing-secure-applications-with-html><span class=secno>1.11.1 </span>Writing secure applications with HTML</h4>
<p><i>This section is non-normative.</i></p>
@@ -2354,7 +2439,7 @@
</dd>
- </dl><!--REMOVE-TOPIC:Security--><h4 id=common-pitfalls-to-avoid-when-using-the-scripting-apis><span class=secno>1.10.2 </span>Common pitfalls to avoid when using the scripting APIs</h4>
+ </dl><!--REMOVE-TOPIC:Security--><h4 id=common-pitfalls-to-avoid-when-using-the-scripting-apis><span class=secno>1.11.2 </span>Common pitfalls to avoid when using the scripting APIs</h4>
<p><i>This section is non-normative.</i></p>
@@ -2417,7 +2502,7 @@
- <h3 id=conformance-requirements-for-authors><span class=secno>1.11 </span>Conformance requirements for authors</h3>
+ <h3 id=conformance-requirements-for-authors><span class=secno>1.12 </span>Conformance requirements for authors</h3>
<p><i>This section is non-normative.</i></p>
@@ -2437,7 +2522,7 @@
document and one with errors.</p>
- <h4 id=presentational-markup><span class=secno>1.11.1 </span>Presentational markup</h4>
+ <h4 id=presentational-markup><span class=secno>1.12.1 </span>Presentational markup</h4>
<p><i>This section is non-normative.</i></p>
@@ -2512,7 +2597,7 @@
<code><a href=#the-s-element>s</a></code>, <code><a href=#the-small-element>small</a></code>, and <code><a href=#the-u-element>u</a></code>.</p>
- <h4 id=syntax-errors><span class=secno>1.11.2 </span>Syntax errors</h4>
+ <h4 id=syntax-errors><span class=secno>1.12.2 </span>Syntax errors</h4>
<p><i>This section is non-normative.</i></p>
@@ -2773,7 +2858,7 @@
- <h4 id=restrictions-on-content-models-and-on-attribute-values><span class=secno>1.11.3 </span>Restrictions on content models and on attribute values</h4>
+ <h4 id=restrictions-on-content-models-and-on-attribute-values><span class=secno>1.12.3 </span>Restrictions on content models and on attribute values</h4>
<p><i>This section is non-normative.</i></p>
@@ -3017,7 +3102,7 @@
</dd>
- </dl><h3 id=recommended-reading><span class=secno>1.12 </span>Recommended reading</h3>
+ </dl><h3 id=recommended-reading><span class=secno>1.13 </span>Recommended reading</h3>
<p><i>This section is non-normative.</i></p>
@@ -8236,7 +8321,9 @@
<li><p>Take ownership of the <a href=#storage-mutex>storage mutex</a>.</li>
- <li><p>Update the cookies. <a href=#refsCOOKIES>[COOKIES]</a></li>
+ <li><p>Update the cookies. <a href=#refsCOOKIES>[COOKIES]</a>
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </li>
<li><p>Release the <a href=#storage-mutex>storage mutex</a> so that it is once
again free.</li>
@@ -10078,8 +10165,8 @@
</dl><div class=impl>
<p>The <dfn id=dom-document-cookie title=dom-document-cookie><code>cookie</code></dfn>
- attribute represents the cookies of the resource from which the
- <code><a href=#document>Document</a></code> was created.</p>
+ attribute represents the cookies of the resource identified by
+ <a href="#the-document's-address">the document's address</a>.</p>
<p>A <code><a href=#document>Document</a></code> object that falls into one of the
following conditions is a <dfn id=cookie-averse-document-object>cookie-averse <code>Document</code>
@@ -10103,7 +10190,9 @@
first <a href=#obtain-the-storage-mutex>obtain the storage mutex</a> and then return the
cookie-string for <a href="#the-document's-address">the document's address</a> for a
"non-HTTP" API, <a href=#decoded-as-utf-8,-with-error-handling>decoded as UTF-8, with error handling</a>.
- <a href=#refsCOOKIES>[COOKIES]</a></p>
+ <a href=#refsCOOKIES>[COOKIES]</a>
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
<p>On setting, if the document is a <a href=#cookie-averse-document-object>cookie-averse
<code>Document</code> object</a>, then the user agent must do
@@ -36057,7 +36146,7 @@
<p>All the bitmaps created during a single <a href=#concept-task title=concept-task>task</a> for canvases that use 2D contexts
must have the same resolution.
- <!--XXX 4INSERT FINGERPRINT-->
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
</p>
<pre class=idl>partial interface <a href=#screen>Screen</a> {
@@ -38786,7 +38875,9 @@
<code><a href=#securityerror>SecurityError</a></code> exception.
<!--REMOVE-TOPIC:Security-->
Otherwise, it must return the new <code><a href=#textmetrics>TextMetrics</a></code> object.
- <a href=#refsCSS>[CSS]</a></p>
+ <a href=#refsCSS>[CSS]</a>
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
</div>
@@ -49978,7 +50069,9 @@
element has a <code title=attr-input-value><a href=#attr-input-value>value</a></code> attribute,
the button's label must be the value of that attribute; otherwise,
it must be an implementation-defined string that means "Submit" or
- some such.</span> The element is a <a href=#concept-button title=concept-button>button</a>, specifically a <a href=#concept-submit-button title=concept-submit-button>submit button</a>.</p>
+ some such.</span> The element is a <a href=#concept-button title=concept-button>button</a>, specifically a <a href=#concept-submit-button title=concept-submit-button>submit button</a>.
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
<div class=impl>
@@ -50331,7 +50424,9 @@
element has a <code title=attr-input-value><a href=#attr-input-value>value</a></code> attribute,
the button's label must be the value of that attribute; otherwise,
it must be an implementation-defined string that means "Reset" or
- some such.</span> The element is a <a href=#concept-button title=concept-button>button</a>.</p>
+ some such.</span> The element is a <a href=#concept-button title=concept-button>button</a>.
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
<div class=impl>
@@ -72434,7 +72529,9 @@
<li>The user has not disabled scripting for this <a href=#browsing-context>browsing
context</a> at this time. (User agents may provide users with
the option to disable scripting globally, or in a finer-grained
- manner, e.g. on a per-origin basis.)</li>
+ manner, e.g. on a per-origin basis.)
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </li>
<li id=sandboxScriptBlocked>The <a href=#browsing-context>browsing context</a>'s
<a href=#active-document>active document</a>'s <a href=#active-sandboxing-flag-set>active sandboxing flag
@@ -75014,7 +75111,9 @@
to user can be used to profile the user. In fact, if enough such
information is available, a user can actually be uniquely
identified. For this reason, user agent implementors are strongly
- urged to include as little information in this API as possible.</p>
+ urged to include as little information in this API as possible.
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
</div>
@@ -75330,7 +75429,9 @@
closely describes the current state of the handler described by the
two arguments to the method, where the first argument gives the
scheme and the second gives the string used to build the
- <a href=#url>URL</a> of the page that will handle the requests.</p>
+ <a href=#url>URL</a> of the page that will handle the requests.
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
<p>The first argument must be compared to the schemes for which
custom protocol handlers are registered in an <a href=#ascii-case-insensitive>ASCII
@@ -75345,7 +75446,9 @@
closely describes the current state of the handler described by the
two arguments to the method, where the first argument gives the
<a href=#mime-type>MIME type</a> and the second gives the string used to build
- the <a href=#url>URL</a> of the page that will handle the requests.</p>
+ the <a href=#url>URL</a> of the page that will handle the requests.
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
<p>The first argument must be compared to the <a href=#mime-type title="MIME
type">MIME types</a> for which custom content handlers are
@@ -75717,7 +75820,9 @@
<a href=#url>URL</a> to an OpenSearch description document. <a href=#refsOPENSEARCH>[OPENSEARCH]</a></li>
</ol><p>The <dfn id=dom-external-issearchproviderinstalled title=dom-external-IsSearchProviderInstalled><code>IsSearchProviderInstalled()</code></dfn>
- method, when invoked, must run the following steps:</p>
+ method, when invoked, must run the following steps:
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
<ol><li><p>Optionally, return 0 and abort these steps. User agents may
implement the method as a stub method that never returns a
@@ -85042,7 +85147,9 @@
<p>The <dfn id=dom-localstorage title=dom-localStorage><code>localStorage</code></dfn>
object provides a <code><a href=#storage-0>Storage</a></code> object for an
- <a href=#origin>origin</a>.</p>
+ <a href=#origin>origin</a>.
+ <a class=fingerprint href=#fingerprint><img alt="(This is a fingerprinting vector.)" src=http://images.whatwg.org/fingerprint.png></a>
+ </p>
<p>User agents must have a set of local storage areas, one for each
<a href=#origin>origin</a>.</p>
Modified: source
===================================================================
--- source 2012-07-26 05:50:45 UTC (rev 7204)
+++ source 2012-07-26 06:53:46 UTC (rev 7205)
@@ -56,7 +56,9 @@
this would cause. We'll probably be able to fix them some day,
but for now we are living with them. -->
+<!--START storage-->
<!--SET FINGERPRINT=<a href="#fingerprint" class="fingerprint"><img src="images/fingerprint.png" alt="(This is a fingerprinting vector.)"></a>-->
+<!--END storage-->
<!--START w3c-html-->
<h2 id="introduction">Introduction</h2>
@@ -849,7 +851,96 @@
<p class="impl">This is an implementation requirement.</p>
+ <h3 id="fingerprint">Privacy concerns</h3>
+ <!--END dev-html--><p><i>This section is non-normative.</i></p><!--START dev-html-->
+
+ <p>Some features of HTML trade user convenience for a measure of
+ user privacy.</p>
+
+ <p>In general, due to the Internet's architecture, a user can be
+ distinguished from another by the user's IP address. IP addresses do
+ not perfectly match to a user; as a user moves from device to
+ device, or from network to network, their IP address will change;
+ similarly, NAT routing, proxy servers, and shared computers enable
+ packets that appear to all come from a single IP address to actually
+ map to multiple users. Technologies such as onion routing can be
+ used to further anonymize requests so that requests from a single
+ user at one node on the Internet appear to come from many disparate
+ parts of the network.</p>
+
+ <p>However, the IP address used for a user's requests is not the
+ only mechanism by which a user's requests could be related to each
+ other. Cookies, for example, are designed specifically to enable
+ this, and are the basis of most of the Web's session features that
+ enable you to log into a site with which you have an account.</p>
+
+ <p>There are other mechanisms that are more subtle. Certain
+ characteristics of a user's system can be used to distinguish groups
+ of users from each other; by collecting enough such information, an
+ individual user's browser's "digital fingerprint" can be computed,
+ which can be as good, if not better, as an IP address in
+ ascertaining which requests are from the same user.</p>
+
+ <p>Grouping requests in this manner, especially across multiple
+ sites, can be used for both benign (and even arguably positive)
+ purposes, as well as for malevolent purposes. An example of a
+ reasonably benign purpose would be determining whether a particular
+ person seems to prefer sites with dog illustrations as opposed to
+ sites with cat illstrations (based on how often they visit the sites
+ in question) and then automatically using the preferred
+ illustrations on subsequent visits to participating sites.
+ Malevolent purposes, however, could include governments combining
+ information such as the person's home address (determined from the
+ addresses they use when getting driving directions on one site) with
+ their apparent political affiliations (determined by examining the
+ forum sites that they participate in) to determine whether the
+ person should be prevented from voting in an election.</p>
+
+ <p>Since the malevolent purposes can be remarkably evil, user agent
+ implementors are encouraged to consider how to provide their users
+ with tools to minimise leaking information that could be used to
+ fingerprint a user.</p>
+
+ <p>Unfortunately, as the first paragraph in this section implies,
+ sometimes there is great benefit to be derived from exposing the
+ very information that can also be used for fingerprinting purposes,
+ so it's not as easy as simply blocking all possible leaks. For
+ instance, the ability to log into a site to post under a specific
+ identity requires that the user's requests be identifiable as all
+ being from the same user, more or less by definition. More subtly,
+ though, information such as how wide text is, which is necessary for
+ many effects that involve drawing text onto a canvas (e.g. any
+ effect that involves drawing a border around the text) also leaks
+ information that can be used to group a user's requests. (In this
+ case, by potentially exposing, via a brute force search, which fonts
+ a user has installed, information which can vary considerably from
+ user to user.)</p>
+
+ <p>Features in this specification which can be used to fingerprint
+ the user are marked as this paragraph is.
+ <!--INSERT FINGERPRINT-->
+ </p>
+
+ <p>Other features in the platform can be used for the same purpose,
+ though, including, though not limited to:</p>
+
+ <ul>
+
+ <li>The exact list of which features a user agents supports.</li>
+
+ <li>The maximum allowed stack depth for recursion in script.</li>
+
+ <li>Features that describe the user's environment, like Media
+ Queries and the <code>Screen</code> object. <a
+ href="#refsMQ">[MQ]</a> <a
+ href="#refsCSSOMVIEW">[CSSOMVIEW]</a></li>
+
+ <li>The user's time zone.</li>
+
+ </ul>
+
+
<h3>A quick introduction to HTML</h3>
<!--END dev-html--><p><i>This section is non-normative.</i></p><!--START dev-html-->
@@ -8165,8 +8256,9 @@
<li><p>Take ownership of the <span>storage mutex</span>.</p></li>
- <li><p>Update the cookies. <a
- href="#refsCOOKIES">[COOKIES]</a></p></li>
+ <li><p>Update the cookies. <a href="#refsCOOKIES">[COOKIES]</a>
+ <!--INSERT FINGERPRINT-->
+ </p></li>
<li><p>Release the <span>storage mutex</span> so that it is once
again free.</p></li>
@@ -10290,8 +10382,8 @@
<div class="impl">
<p>The <dfn title="dom-document-cookie"><code>cookie</code></dfn>
- attribute represents the cookies of the resource from which the
- <code>Document</code> was created.</p>
+ attribute represents the cookies of the resource identified by
+ <span>the document's address</span>.</p>
<p>A <code>Document</code> object that falls into one of the
following conditions is a <dfn>cookie-averse <code>Document</code>
@@ -10321,7 +10413,9 @@
first <span>obtain the storage mutex</span> and then return the
cookie-string for <span>the document's address</span> for a
"non-HTTP" API, <span>decoded as UTF-8, with error handling</span>.
- <a href="#refsCOOKIES">[COOKIES]</a></p>
+ <a href="#refsCOOKIES">[COOKIES]</a>
+ <!--INSERT FINGERPRINT-->
+ </p>
<p>On setting, if the document is a <span>cookie-averse
<code>Document</code> object</span>, then the user agent must do
@@ -41978,7 +42072,7 @@
<p>All the bitmaps created during a single <span
title="concept-task">task</span> for canvases that use 2D contexts
must have the same resolution.
- <!--XXX 4INSERT FINGERPRINT-->
+ <!--INSERT FINGERPRINT-->
</p>
<pre class="idl">partial interface <span>Screen</span> {
@@ -45260,7 +45354,9 @@
<code>SecurityError</code> exception.
<!--REMOVE-TOPIC:Security-->
Otherwise, it must return the new <code>TextMetrics</code> object.
- <a href="#refsCSS">[CSS]</a></p>
+ <a href="#refsCSS">[CSS]</a>
+ <!--INSERT FINGERPRINT-->
+ </p>
</div>
@@ -58247,7 +58343,9 @@
it must be an implementation-defined string that means "Submit" or
some such.</span> The element is a <span
title="concept-button">button</span>, specifically a <span
- title="concept-submit-button">submit button</span>.</p>
+ title="concept-submit-button">submit button</span>.
+ <!--INSERT FINGERPRINT-->
+ </p>
<div class="impl">
@@ -58684,7 +58782,9 @@
the button's label must be the value of that attribute; otherwise,
it must be an implementation-defined string that means "Reset" or
some such.</span> The element is a <span
- title="concept-button">button</span>.</p>
+ title="concept-button">button</span>.
+ <!--INSERT FINGERPRINT-->
+ </p>
<div class="impl">
@@ -84801,7 +84901,9 @@
<li>The user has not disabled scripting for this <span>browsing
context</span> at this time. (User agents may provide users with
the option to disable scripting globally, or in a finer-grained
- manner, e.g. on a per-origin basis.)</li>
+ manner, e.g. on a per-origin basis.)
+ <!--INSERT FINGERPRINT-->
+ </li>
<li id="sandboxScriptBlocked">The <span>browsing context</span>'s
<span>active document</span>'s <span>active sandboxing flag
@@ -87811,7 +87913,9 @@
to user can be used to profile the user. In fact, if enough such
information is available, a user can actually be uniquely
identified. For this reason, user agent implementors are strongly
- urged to include as little information in this API as possible.</p>
+ urged to include as little information in this API as possible.
+ <!--INSERT FINGERPRINT-->
+ </p>
</div>
@@ -88171,7 +88275,9 @@
closely describes the current state of the handler described by the
two arguments to the method, where the first argument gives the
scheme and the second gives the string used to build the
- <span>URL</span> of the page that will handle the requests.</p>
+ <span>URL</span> of the page that will handle the requests.
+ <!--INSERT FINGERPRINT-->
+ </p>
<p>The first argument must be compared to the schemes for which
custom protocol handlers are registered in an <span>ASCII
@@ -88190,7 +88296,9 @@
closely describes the current state of the handler described by the
two arguments to the method, where the first argument gives the
<span>MIME type</span> and the second gives the string used to build
- the <span>URL</span> of the page that will handle the requests.</p>
+ the <span>URL</span> of the page that will handle the requests.
+ <!--INSERT FINGERPRINT-->
+ </p>
<p>The first argument must be compared to the <span title="MIME
type">MIME types</span> for which custom content handlers are
@@ -88620,7 +88728,9 @@
<p>The <dfn
title="dom-external-IsSearchProviderInstalled"><code>IsSearchProviderInstalled()</code></dfn>
- method, when invoked, must run the following steps:</p>
+ method, when invoked, must run the following steps:
+ <!--INSERT FINGERPRINT-->
+ </p>
<ol>
@@ -98879,7 +98989,9 @@
<p>The <dfn title="dom-localStorage"><code>localStorage</code></dfn>
object provides a <code>Storage</code> object for an
- <span>origin</span>.</p>
+ <span>origin</span>.
+ <!--INSERT FINGERPRINT-->
+ </p>
<p>User agents must have a set of local storage areas, one for each
<span>origin</span>.</p>
More information about the Commit-Watchers
mailing list