Security and privacy writeup does not discuss fingerprinting

[markafoltz]

The S&P writeup briefly touches on per-device information exposed by the API:

Enumerating the displays connected to the computer does provide significant entropy. If multiple computers are connected to the same set of displays, an attacker may use the display information to deduce that those computers are in the same physical vicinity. To mitigate this issue, user permission is required to access the display list.

An issue beyond physical proximity is that the site would learn a number of persistent characteristics of the user's computing environment, especially for systems that are always connected to multiple monitors. While that may be a minority of users overall, a site would get a number of bits of entropy for fingerprinting (starting with the fact that the user has multiple displays to begin with).

As we iterate this API in the CG, we should keep in mind the TAG guidance on unsanctioned tracking and implement fingerprinting mitigations.

Both the explainer and the S&P writeup mention requiring "user permission" to access the screen list. However, I think a more detailed proposal would describe how an application would request this permission, how it would know whether it was granted, and how a browser could sensibly make the permission request to the user with sufficient context to make an informed choice.

[michaelwasserman]

This is definitely an important issue, and I'm actively engaging with Chrome's privacy team to determine the best way to proceed. I'll expand on the proposal's discussion of fingerprinting concerns and mitigations with some initial thoughts, and refine those sections as conversations progress.

[michaelwasserman]

The updated Window Placement explainer has a fairly comprehensive Privacy & Security section, which covers fingerprinting, and a similarly expanded security_and_privacy.md document.

Please spin up a new issue if you have updated feedback, thanks!