Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

timezonechange event could enable cross-origin tracking via simultaneous background event firing (whatwg/html#3047) #34

Open
npdoty opened this issue Jan 13, 2020 · 3 comments
Open

timezonechange event could enable cross-origin tracking via simultaneous background event firing (whatwg/html#3047) #34

npdoty opened this issue Jan 13, 2020 · 3 comments
Labels
s:html https://html.spec.whatwg.org/multipage/ tracker PING is following a discussion, but doesn't require resolution. whatwg https://whatwg.org/

Comments

@npdoty
Copy link
Member

npdoty commented Jan 13, 2020
edited by plehegar
Loading

A new event to be triggered when the user's timezone changes (as opposed to polling) could have privacy implications if the event is fired in all tabs/browsing contexts simultaneously. Discussion also notes that there may be other events with similar properties in HTML. We previously noted this with Idle API, Proximity, Ambient Light, generic Sensor API and MediaCapture.

This is a threat we should add to threat model or other guidance documents.

§ whatwg/html#3047
@npdoty
Copy link
Member Author

npdoty commented Jan 13, 2020

my comments:

Discussion is happening in this pull request, rather than an issue: whatwg/html#3047

@plehegar plehegar added s:html https://html.spec.whatwg.org/multipage/ tracker PING is following a discussion, but doesn't require resolution. labels Feb 14, 2020
@samuelweiler
Copy link
Contributor

also discussed re: GamePad w3c/gamepad#74 (comment)

@samuelweiler samuelweiler mentioned this issue May 7, 2020
Open
@jyasskin
Copy link
Member

jyasskin commented May 7, 2020

I've mentioned this more generally in https://w3cping.github.io/privacy-threat-model/#cap-visible-for-browser-event, and @asankah discussed it in detail in https://asankah.github.io/ephemeral-fingerprinting/.

@w3cbot w3cbot added the whatwg https://whatwg.org/ label Feb 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
s:html https://html.spec.whatwg.org/multipage/ tracker PING is following a discussion, but doesn't require resolution. whatwg https://whatwg.org/
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@npdoty @jyasskin @plehegar @w3cbot @samuelweiler