Rewrite privacy considerations on fingerprinting in start_url #1114
Conversation
|
@marcoscaceres the change is a bit hard to read because it's based off of #1112 which runs tidy and other changes. The relevant changed section is around line 810. |
index.html
Outdated
| developer would prefer the user agent load when the user launches the | ||
| web application (e.g., when the user clicks on the icon of the web | ||
| application from a device's application menu or homescreen). | ||
| represents the <dfn data-export="">start URL</dfn> , which is |
There was a problem hiding this comment.
I'm still a bit worried about exporting "start URL" without an associated thing... could it be:
| represents the <dfn data-export="">start URL</dfn> , which is | |
| represents the <dfn class"export" data-dfn-for="installed web application">start URL</dfn> , which is |
And yes, we still need a formal definition of a "web application".....
There was a problem hiding this comment.
Actually, seems we have defined "installed web application" 🎉
There was a problem hiding this comment.
This is commenting on a PR that was already submitted (#1112). (It just got caught up in this PR's delta because it wasn't submitted at the time I uploaded this.) I've rebased now, which should make things clearer.
You may be right, but I would like you to put this up as a separate PR if you don't mind. It's a bit complex as I've now got text in manifest-incubations which links to this and will have to be updated when you make this change.
There is a "MUST NOT" requirement for developers about putting user data in the start_url. This is not enforceable, so rewriting the paragraph: 1. Removed this requirement for developers. 2. Added a non-normative note that tells developers it would be irresponsible to do this (but acknowledging that we can't practically prevent it). 3. Added a MAY requirement for user agents to offer to uninstall apps associated with an origin when clearing site data.
Co-authored-by: Marcos Cáceres <[email protected]>
Co-authored-by: Marcos Cáceres <[email protected]>
Co-authored-by: Marcos Cáceres <[email protected]>
|
Thanks for the review. I've rebased so it's now current against HEAD. I accepted most of your suggestions, just pushing back against the new sentence about UAs messing with start URLs. |
|
Thanks @mgiuca. I agree that until such times that user agents strip things out (if ever) then there is probably no need to mention it. Just as an example, I think mail.app does strip out known identifiers... so there is some precedent. |
SHA: 2a8fc0a Reason: push, by marcoscaceres Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
SHA: 2a8fc0a Reason: push, by dmurph Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
SHA: 2a8fc0a Reason: push, by dmurph Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Closes #1113
This change (choose at least one, delete ones that don't apply):
(No implementation commitment required as it adds a MAY requirement.)
Commit message:
Preview | Diff