Closed amtunlimited closed 4 years ago
skobes-chromium
commented
4 years ago Thanks for filing this. Can you give a little more context on the concern? How exactly would GPU and driver configuration enable fingerprinting through the Layout Instability API?
amtunlimited
commented
4 years ago How exactly would GPU and driver configuration enable fingerprinting through the Layout Instability API?
You could, for example, make several different processing-intensive canvas elements and watch the source attribution list. Differences in GPUs would mean different times the elements hit the list and possibly different values for the cumulative score itself. These results would be at least somewhat consistent between reloads and unique among user agents with different GPUs and hardware-acceleration settings, which adds to overall entropy.
Can you give a little more context on the concern?
Concern probably wasn't the right word. More just a consideration. Probably not a huge issue, but it does add to the possible fingerprinting surfaces, as most graphic/timing related APIs can do.
skobes-chromium
commented
4 years ago It is true that a webpage can make observations about the time spent to render a processing-intensive canvas element, and that this time may depend on the capabilities of the GPU.
It is also true that the CLS score can in some cases change depending on the time required to render something, because timing may determine whether two layout shifts occur in the same animation frame or in different frames.
But a webpage doesn't need the source attribution list of a layout shift event to observe the time spent to render a processing-intensive canvas element. It can make that observation more directly using requestAnimationFrame and performance.now().
So, I don't think the Layout Instability API raises any significant considerations for GPU fingerprinting. I will tentatively close this issue, but please let me know if I have misunderstood the concern.
The more specific information given by the new "Source Attribution" could lead to fingerprinting based on variations in GPU, CPU, and driver configuration leading to variations in the timing and amount the changes of various elements on a page consistent across different sites.