Handling high-entropy client hints
70 views
Skip to first unread message
Seirdy
Dec 4, 2021, 2:33:19 PM12/4/21
to chromium...@chromium.org
Some client hints such as "platformVersion" are "high-entropy". Their
values are only revealed when the server explicitly requests them (e.g.,
with JS using getHighEntropyValues).
I'm concerned because this information is just given when requested. If
any website can request this information without the user's knowledge,
then what benefit is there to hiding the sensitive client-hints behind
an API or requiring a request header?
I see three possible ways to handle high-entropy client hints:
1. Give information whenever the website requests it: the status quo.
Significantly worsens privacy by enabling a great deal of
fingerprinting.
2. Include them in the Privacy Budget: this could limit fingerprinting
potential. Unfortunately, the Privacy Budget is a long way off according
to the roadmap; introducing these features before then has temporarily
enabled greater levels of tracking.
3. Put them behind a permission/pref: just like how FLoC can be turned
off in the Privacy Sandbox, high-entropy client hints could be put
behind a toggle.
Options 2 and 3 are not mutually exclusive: implementing both would be
ideal. Like the FLoC toggle, option 3 doesn't have to wait till 2023 and
later; it can be introduced before the Privacy Budget rollout.
What do you all think? And has the Chromium team planned on implementing
any of these? Documentation is a bit scattered, and I've been unable to
find any tickets related to this.
--
/Seirdy
values are only revealed when the server explicitly requests them (e.g.,
with JS using getHighEntropyValues).
I'm concerned because this information is just given when requested. If
any website can request this information without the user's knowledge,
then what benefit is there to hiding the sensitive client-hints behind
an API or requiring a request header?
I see three possible ways to handle high-entropy client hints:
1. Give information whenever the website requests it: the status quo.
Significantly worsens privacy by enabling a great deal of
fingerprinting.
2. Include them in the Privacy Budget: this could limit fingerprinting
potential. Unfortunately, the Privacy Budget is a long way off according
to the roadmap; introducing these features before then has temporarily
enabled greater levels of tracking.
3. Put them behind a permission/pref: just like how FLoC can be turned
off in the Privacy Sandbox, high-entropy client hints could be put
behind a toggle.
Options 2 and 3 are not mutually exclusive: implementing both would be
ideal. Like the FLoC toggle, option 3 doesn't have to wait till 2023 and
later; it can be introduced before the Privacy Budget rollout.
What do you all think? And has the Chromium team planned on implementing
any of these? Documentation is a bit scattered, and I've been unable to
find any tickets related to this.
--
/Seirdy
Reply all
Reply to author
Forward
0 new messages