timezonechange event could enable cross-origin tracking via simultaneous background event firing (whatwg/html#3047)

[npdoty]

A new event to be triggered when the user's timezone changes (as opposed to polling) could have privacy implications if the event is fired in all tabs/browsing contexts simultaneously. Discussion also notes that there may be other events with similar properties in HTML. We previously noted this with Idle API, Proximity, Ambient Light, generic Sensor API and MediaCapture.

This is a threat we should add to threat model or other guidance documents.

§ https://github.com/whatwg/html/pull/3047

[npdoty]

my comments:

• https://github.com/whatwg/html/pull/3047#issuecomment-573847868
• https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/4BUSE2aTQEc/a5-gBNTdCAAJ

Discussion is happening in this pull request, rather than an issue: https://github.com/whatwg/html/pull/3047

[samuelweiler]

also discussed re: GamePad https://github.com/w3c/gamepad/issues/74#issuecomment-433403518

[jyasskin]

I've mentioned this more generally in https://w3cping.github.io/privacy-threat-model/#cap-visible-for-browser-event, and @asankah discussed it in detail in https://asankah.github.io/ephemeral-fingerprinting/.