[html5] r8231 - [giow] (0) Try to improve the fingerprinting-avoidance advice for navigator.lang [...]

whatwg at whatwg.org whatwg at whatwg.org
Fri Oct 18 13:52:40 PDT 2013 

Author: ianh
Date: 2013-10-18 13:52:38 -0700 (Fri, 18 Oct 2013)
New Revision: 8231

Modified:
   complete.html
   index
   source
Log:
[giow] (0) Try to improve the fingerprinting-avoidance advice for navigator.language
Affected topics: DOM APIs, HTML

Modified: complete.html
===================================================================
--- complete.html	2013-10-18 19:26:52 UTC (rev 8230)
+++ complete.html	2013-10-18 20:52:38 UTC (rev 8231)
@@ -72834,26 +72834,35 @@
 
   <dl><!--
    <dt><dfn title="dom-navigator-browserLanguage"><code>browserLanguage</code></dfn></dt> <!- - Opera and IE only - ->
-   <dd><p>Must return either the string "<code title="">en</code>" or a language tag representing
-   the language the browser uses in its interface.</p></dd>
+   <dd><p>Must return a language tag representing either <span>a plausible language</span> or the
+   language the browser uses in its interface.</p></dd>
 
 
    <dt><dfn title="dom-navigator-userLanguage"><code>userLanguage</code></dfn></dt> <!- - Opera and IE only - ->
    --><!-- at time of testing, this was supported by Opera, Safari, and Mozilla only --><dt><dfn id=dom-navigator-language title=dom-navigator-language><code>language</code></dfn></dt>
-   <dd><p>Must return either the string "<code title="">en</code>" or a valid BCP 47 language tag
-   representing the user's preferred language. <a href=#refsBCP47>[BCP47]</a></dd>
+   <dd><p>Must return a valid BCP 47 language tag representing either <a href=#a-plausible-language>a plausible
+   language</a> or the user's preferred language. <a href=#refsBCP47>[BCP47]</a></dd>
 
-  </dl><p class=warning>As for the API in the previous section, any information in this API that varies
-  from user to user can be used to profile or identify the user. For this reason, user agent
-  implementors are encouraged to return "en" unless the user has explicitly indicated that the site
-  in question is allowed access to the information.
-  <a href=#fingerprinting-vector class=fingerprint title="fingerprinting vector"><img src=http://images.whatwg.org/fingerprint.png width=46 alt="(This is a fingerprinting vector.)" height=64></a>
-  </p>
+  </dl><p>To determine <dfn id=a-plausible-language>a plausible language</dfn>, the user agent should bear in mind the following:</p>
 
-  </div>
+  <ul><li>Any information in this API that varies from user to user can be used to profile or identify
+   the user.
+   <a href=#fingerprinting-vector class=fingerprint title="fingerprinting vector"><img src=http://images.whatwg.org/fingerprint.png width=46 alt="(This is a fingerprinting vector.)" height=64></a>
+   </li>
 
+   <li>If the user is not using a service that obfuscates the user's point of origin (e.g. the Tor
+   anonymity network), then the value that is least likely to distinguish the user from other users
+   with similar origins (e.g. from the same IP address block) is the language used by the majority
+   of such users. <a href=#refsTOR>[TOR]</a></li>
 
+   <li>If the user is using an anonymizing service, then the value "<code title="">en-US</code>" is
+   suggested; if all users of the service use that same value, that reduces the possibility of
+   distinguishing the users from each other.</li>
 
+  </ul></div>
+
+
+
   <h5 id=custom-handlers><span class=secno>7.6.1.3 </span>Custom scheme and content handlers</h5>
 
   <pre class=idl>[NoInterfaceObject]
@@ -100584,6 +100593,9 @@
    <dt id=refsSVG>[SVG]</dt>
    <dd><cite><a href=http://www.w3.org/TR/SVGTiny12/>Scalable Vector Graphics (SVG) Tiny 1.2 Specification</a></cite>, O. Andersson, R. Berjon, E. Dahlström, A. Emmons, J. Ferraiolo, A. Grasso, V. Hardy, S. Hayman, D. Jackson, C. Lilley, C. McCormack, A. Neumann, C. Northway, A. Quint, N. Ramani, D. Schepers, A. Shellshear. W3C.</dd>
 
+   <dt id=refsTOR>[TOR]</dt>
+   <dd>(Non-normative) <cite><a href=https://www.torproject.org/>Tor</a></cite>.</dd>
+
    <dt id=refsTYPEDARRAY>[TYPEDARRAY]</dt>
    <dd><cite><a href=http://www.khronos.org/registry/typedarray/specs/latest/>Typed Array Specification</a></cite>, D. Herman, K. Russell. Khronos.</dd>
 

Modified: index
===================================================================
--- index	2013-10-18 19:26:52 UTC (rev 8230)
+++ index	2013-10-18 20:52:38 UTC (rev 8231)
@@ -72834,26 +72834,35 @@
 
   <dl><!--
    <dt><dfn title="dom-navigator-browserLanguage"><code>browserLanguage</code></dfn></dt> <!- - Opera and IE only - ->
-   <dd><p>Must return either the string "<code title="">en</code>" or a language tag representing
-   the language the browser uses in its interface.</p></dd>
+   <dd><p>Must return a language tag representing either <span>a plausible language</span> or the
+   language the browser uses in its interface.</p></dd>
 
 
    <dt><dfn title="dom-navigator-userLanguage"><code>userLanguage</code></dfn></dt> <!- - Opera and IE only - ->
    --><!-- at time of testing, this was supported by Opera, Safari, and Mozilla only --><dt><dfn id=dom-navigator-language title=dom-navigator-language><code>language</code></dfn></dt>
-   <dd><p>Must return either the string "<code title="">en</code>" or a valid BCP 47 language tag
-   representing the user's preferred language. <a href=#refsBCP47>[BCP47]</a></dd>
+   <dd><p>Must return a valid BCP 47 language tag representing either <a href=#a-plausible-language>a plausible
+   language</a> or the user's preferred language. <a href=#refsBCP47>[BCP47]</a></dd>
 
-  </dl><p class=warning>As for the API in the previous section, any information in this API that varies
-  from user to user can be used to profile or identify the user. For this reason, user agent
-  implementors are encouraged to return "en" unless the user has explicitly indicated that the site
-  in question is allowed access to the information.
-  <a href=#fingerprinting-vector class=fingerprint title="fingerprinting vector"><img src=http://images.whatwg.org/fingerprint.png width=46 alt="(This is a fingerprinting vector.)" height=64></a>
-  </p>
+  </dl><p>To determine <dfn id=a-plausible-language>a plausible language</dfn>, the user agent should bear in mind the following:</p>
 
-  </div>
+  <ul><li>Any information in this API that varies from user to user can be used to profile or identify
+   the user.
+   <a href=#fingerprinting-vector class=fingerprint title="fingerprinting vector"><img src=http://images.whatwg.org/fingerprint.png width=46 alt="(This is a fingerprinting vector.)" height=64></a>
+   </li>
 
+   <li>If the user is not using a service that obfuscates the user's point of origin (e.g. the Tor
+   anonymity network), then the value that is least likely to distinguish the user from other users
+   with similar origins (e.g. from the same IP address block) is the language used by the majority
+   of such users. <a href=#refsTOR>[TOR]</a></li>
 
+   <li>If the user is using an anonymizing service, then the value "<code title="">en-US</code>" is
+   suggested; if all users of the service use that same value, that reduces the possibility of
+   distinguishing the users from each other.</li>
 
+  </ul></div>
+
+
+
   <h5 id=custom-handlers><span class=secno>7.6.1.3 </span>Custom scheme and content handlers</h5>
 
   <pre class=idl>[NoInterfaceObject]
@@ -100584,6 +100593,9 @@
    <dt id=refsSVG>[SVG]</dt>
    <dd><cite><a href=http://www.w3.org/TR/SVGTiny12/>Scalable Vector Graphics (SVG) Tiny 1.2 Specification</a></cite>, O. Andersson, R. Berjon, E. Dahlström, A. Emmons, J. Ferraiolo, A. Grasso, V. Hardy, S. Hayman, D. Jackson, C. Lilley, C. McCormack, A. Neumann, C. Northway, A. Quint, N. Ramani, D. Schepers, A. Shellshear. W3C.</dd>
 
+   <dt id=refsTOR>[TOR]</dt>
+   <dd>(Non-normative) <cite><a href=https://www.torproject.org/>Tor</a></cite>.</dd>
+
    <dt id=refsTYPEDARRAY>[TYPEDARRAY]</dt>
    <dd><cite><a href=http://www.khronos.org/registry/typedarray/specs/latest/>Typed Array Specification</a></cite>, D. Herman, K. Russell. Khronos.</dd>
 

Modified: source
===================================================================
--- source	2013-10-18 19:26:52 UTC (rev 8230)
+++ source	2013-10-18 20:52:38 UTC (rev 8231)
@@ -81419,26 +81419,39 @@
 
    <!--
    <dt><dfn data-x="dom-navigator-browserLanguage"><code>browserLanguage</code></dfn></dt> <!- - Opera and IE only - ->
-   <dd><p>Must return either the string "<code data-x="">en</code>" or a language tag representing
-   the language the browser uses in its interface.</p></dd>
+   <dd><p>Must return a language tag representing either <span>a plausible language</span> or the
+   language the browser uses in its interface.</p></dd>
 
 
    <dt><dfn data-x="dom-navigator-userLanguage"><code>userLanguage</code></dfn></dt> <!- - Opera and IE only - ->
    -->
    <!-- at time of testing, this was supported by Opera, Safari, and Mozilla only -->
    <dt><dfn data-x="dom-navigator-language"><code>language</code></dfn></dt>
-   <dd><p>Must return either the string "<code data-x="">en</code>" or a valid BCP 47 language tag
-   representing the user's preferred language. <a href="#refsBCP47">[BCP47]</a></p></dd>
+   <dd><p>Must return a valid BCP 47 language tag representing either <span>a plausible
+   language</span> or the user's preferred language. <a href="#refsBCP47">[BCP47]</a></p></dd>
 
   </dl>
 
-  <p class="warning">As for the API in the previous section, any information in this API that varies
-  from user to user can be used to profile or identify the user. For this reason, user agent
-  implementors are encouraged to return "en" unless the user has explicitly indicated that the site
-  in question is allowed access to the information.
-  <!--INSERT FINGERPRINT-->
-  </p>
+  <p>To determine <dfn>a plausible language</dfn>, the user agent should bear in mind the following:</p>
 
+  <ul>
+
+   <li>Any information in this API that varies from user to user can be used to profile or identify
+   the user.
+   <!--INSERT FINGERPRINT-->
+   </li>
+
+   <li>If the user is not using a service that obfuscates the user's point of origin (e.g. the Tor
+   anonymity network), then the value that is least likely to distinguish the user from other users
+   with similar origins (e.g. from the same IP address block) is the language used by the majority
+   of such users. <a href="#refsTOR">[TOR]</a></li>
+
+   <li>If the user is using an anonymizing service, then the value "<code data-x="">en-US</code>" is
+   suggested; if all users of the service use that same value, that reduces the possibility of
+   distinguishing the users from each other.</li>
+
+  </ul>
+
   </div>
 
 
@@ -112418,6 +112431,9 @@
    <dd><cite><a
    href="http://www.nectec.or.th/it-standards/std620/std620.htm">UDC 681.3.04:003.62</a></cite>. Thai Industrial Standards Institute, Ministry of Industry, Royal Thai Government. ISBN 974-606-153-4.</dd>
 
+   <dt id="refsTOR">[TOR]</dt>
+   <dd>(Non-normative) <cite><a href="https://www.torproject.org/">Tor</a></cite>.</dd>
+
    <dt id="refsTURN">[TURN]</dt>
    <dd><cite><a href="http://tools.ietf.org/html/rfc5766">Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)</a></cite>, R. Mahy, P. Matthews, J. Rosenberg. IETF.</dd>

More information about the Commit-Watchers mailing list