SergeyKanzhelev
commented
2 years ago This issues speaks of a specific scenario when user browsing the app, which has a JS code that will inject specially-formed headers, that will be stored by "downstream" components and lately will be used to de-anonymize user that was using the incognito browsing.
I think this scenario is not any different from that JS code forming cookies that will contain the same information, and "downstream" application can store this information the same way. Even though, cookies will not be preserved between sessions, "downstream" components has already collected enough information to de-anonimize the user.
This specification doesn't make it easier or harder to implement this de-anonymization behavior. we may need to revisit this and have special treatment for incognito mode when/if this functionality will ever be built-in into the browser itself
kalyanaj
As part of our W3C TAG review of this — in the privacy vein, we talked about whether it would be good for this to behave differently in private/incognito browsing mode. It struck us that there is nothing to stop the application provider from sending headers derived from information tied to the machine or usual user (their IP address, their user ID, etc.). We wondered if it might make sense to ask user agents to ignore the trace ID altogether in when in private/incognito mode, so that the user's experience isn't tied to the experience that same user (or whoever they share a browser with) gets when not in private/incognito mode. What are your thoughts on this?