W3C Manifest start_url may be a fingerprinting vector

NEW
Unassigned

Status

()

enhancement
16 days ago
14 days ago

People

(Reporter: Ehsan, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

16 days ago

See https://blog.lukaszolejnik.com/tracking-users-with-rogue-progressive-web-applications/.

We can probably provide some level of protection when resistFingerprinting is turned on, such as fetching the manifest twice (perpahs once without credentials) and compare the two start_urls...

Type: defect → enhancement

Comment 1

15 days ago

My short comment: while it solves part of the problem (and this is good), it is not needed to use cookies when installing the manifest (That's actually the bonus of https://pwapprehension.sensorsprivacy.com, not my main point)

(Reporter)

Comment 2

15 days ago

Yes, that's true. :/ There may be better options available for verifying whether different "users" get unique versions of the manifest.

You need to log in before you can comment on or make changes to this bug.