dbaron
commented
4 years ago w3ctag/design-reviews#323 might have a few useful thoughts here.
Open SingingTree opened 4 years ago
dbaron
commented
4 years ago w3ctag/design-reviews#323 might have a few useful thoughts here.
dbaron
commented
4 years ago How much will the results of this API vary between Firefox users, and what would cause the variation?
hsivonen
commented
4 years ago How much will the results of this API vary between Firefox users, and what would cause the variation?
Hmm. This API has become worse for fingerprinting since I last paid attention: Instead of exposing a boolean, there are now more outcomes. The explainer shows 10 distinct outcomes of which Firefox and Chromium presently know about 9.
The source of variation would be the combination of operating system, GPU driver(s), GPU(s), and screen(s). One might argue that WebGL already exposes a hopeless number of fingerprinting bits that correlate with these.
In the WICG issue, it's said: "Several open-access license servers exist for the purposes of testing and integration, and their CORS headers allow access from "*". So this becomes all sites running in a secure context. Any HTTPS-hosted site can do a license exchange with these open license servers."
So this means that even without this API, these fingerprinting bits are available to the Web, but this API makes the bits available with less effort and with out a (potentially detectable and blockable) HTTP round trip to an open-access license server.
I'll ping you off-GitHub about reducing the fingerprinting bits.
Request for Mozilla Position on an Emerging Web Specification
Other information
This check is currently implemented in Gecko, but is behind a pref. I'm seeking more input on what we'd like to see before exposing the functionality without a pref being set.