As noted in the spec, isExtended is additional fingerprinting surface that is not mitigated or prevented by the spec. This is particularly concerning since the screen APIs are already well know and exploited by fingeprinters, and so it seems very likely that this bit will be similarly used by fingerprinters.
One possibility is to removing the property all together and just having sites use the result of the permission guarded getScreenDetails. A website needing to use explicit multi-screen capabilities seems extremely rare as a % of websites, and I imagine that users could easily predict when these feautres are needed for benign functionality (either because of the kind of site, or because of the site using a "click to enable multi-montior support" button).
This issue is being filed as part of the requested PING privacy review #106
As noted in the spec,
isExtendedis additional fingerprinting surface that is not mitigated or prevented by the spec. This is particularly concerning since thescreenAPIs are already well know and exploited by fingeprinters, and so it seems very likely that this bit will be similarly used by fingerprinters.One possibility is to removing the property all together and just having sites use the result of the permission guarded
getScreenDetails. A website needing to use explicit multi-screen capabilities seems extremely rare as a % of websites, and I imagine that users could easily predict when these feautres are needed for benign functionality (either because of the kind of site, or because of the site using a "click to enable multi-montior support" button).