Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refine definition of fingerprinting to exclude entropy behind a prompt? #20

Open
jasonanovak opened this issue Aug 2, 2018 · 2 comments
Open

Refine definition of fingerprinting to exclude entropy behind a prompt? #20

jasonanovak opened this issue Aug 2, 2018 · 2 comments

Comments

@jasonanovak
Copy link

In 1.1, fingerprinting is defined as

In short, browser fingerprinting is the capability of a site to identify or re-identify a visiting user, user agent or device via configuration settings or other observable characteristics.

In practice, browser developers (and PING) seem to consider prompting as a mitigation for fingerprinting. As a result, it seems like it would be worthwhile to add some notion of “passively without user interaction” or “without prompting or alerting the user” to the definition of fingerprinting.
@jasonanovak jasonanovak mentioned this issue Aug 2, 2018
Closed
@npdoty
Copy link
Collaborator

npdoty commented Dec 31, 2018
edited
Loading

As noted in #21, I'm not sure we should change the definition, but I do think there's an important mitigation to be highlighted here.
@jyasskin
Copy link
Member

jyasskin commented Jan 9, 2020
edited
Loading

FWIW, I think it's still a problem if users who grant an innocuous-looking permission prompt wind up accidentally giving a site access to a permanent identifier for their installation. So 👍 on treating the prompt as a severity reduction rather than excluding the entropy entirely
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
3 participants
@npdoty @jyasskin @jasonanovak