Audio APIs were released as recently as last year that are used for widespread fingerprinting via audio hardware latency information that is available with no notice to the user and without their permission, even on websites with zero audio.
This simply isn't true. That's not even the only recent API that Chrome has spearheaded that is being abused by ad networks and other nefarious actors.
gruez 1301 days ago [-]
> Audio APIs were released as recently as last year that are used for widespread fingerprinting via audio hardware latency information that is available with no notice to the user and without their permission, even on websites with zero audio.
That seems to be fixed, at least on firefox. The result from console.log(new AudioContext()) seems to be generic values that don't correspond to the actual values (eg. it reports the sample rate as 44.1khz, but my system sample rate is 48khz).
0xy 1300 days ago [-]
None of what you said is relevant to Chrome. Chrome still allows ad networks to pilfer this information as of the latest version.
Chrome is the worst browser for privacy by far. Between cookie policies, X-Client-Data backdoors for DoubleClick and APIs like this one it seems awfully convenient that this stuff continues to make it to production for ad networks to abuse with impunity.
wolrah 1301 days ago [-]
Yeah, that was my immediate thought as well.
I have a WQHD (3440x1440) main display with two old 1680x1050 panels mounted side by side above it. Even amongst those with three monitors my setup is quite unusual and thus would be incredibly useful as a fingerprint.
I see that it'll be gated behind a permission popup like many other modern browser features, but based on the number of clients I've had to clear ad networks out of their "Allow Notifications" lists for it's quite clear that a lot of people just hit "yes" to whatever they're prompted about.
I of course see the value to developers of complex web apps, but IMO this is the sort of thing that shouldn't actually happen in the browser itself. Make it exclusive to Electron or similar platforms that use a web browser style engine but can have additional capabilities beyond what's reasonable to expose to a plain old browser.
rcarmo 1302 days ago [-]
I came here to point out _exactly_ this. And I wouldn't stop at permissions, these things should be session-only and not persist across visits.
I'd say the need to not just move your windows yourself in that given case is niche.
PaulHoule 1301 days ago [-]
Who writes native desktop apps anymore?
Sure, HP writes UWP application to harass you into buying more ink.
However a wide swath of firms develop on Mac for a Windows world, thus electron.
I have looked long and far for a good cross platform ui toolkit and I don't believe there is anything that comes close to the web platform.
rektide 1301 days ago [-]
It's an old legacy mentality when you can't imagine web systems filling the role of regular applications. Please update your mental models accordingly.
That you happen to think of the web as being for this specific thing that you imagine is not a fair constraint. The web does not want to be excluded from becoming more, please stop placing it in the corner.
> The TL;DR is that we strongly value the feedback of real web developers (that means you!) during the process of designing and standardizing new features. We believe origin trials provide a good way of encouraging that feedback, while being extremely careful that the experiments aren’t used by sites in production-critical roles or as if they’re finalized features.
agentultra 1301 days ago [-]
So... when are we going to see machines that just init into a web browser instead of a desktop? 2 years?
andrewaylett 1301 days ago [-]
Chromebooks? FirefoxOS too -- it might not have taken off enough to be viable, but it worked.
agentultra 1301 days ago [-]
Good point, I have been missing out!
anaganisk 1301 days ago [-]
Nerds at Google keep making Chrome browser a full blow OS and Bean counters keep finding ways to abuse them for data, demand supply right there.
Rendered at 22:58:16 GMT+0000 (Coordinated Universal Time) with Vercel.
This simply isn't true. That's not even the only recent API that Chrome has spearheaded that is being abused by ad networks and other nefarious actors.
That seems to be fixed, at least on firefox. The result from console.log(new AudioContext()) seems to be generic values that don't correspond to the actual values (eg. it reports the sample rate as 44.1khz, but my system sample rate is 48khz).
Chrome is the worst browser for privacy by far. Between cookie policies, X-Client-Data backdoors for DoubleClick and APIs like this one it seems awfully convenient that this stuff continues to make it to production for ad networks to abuse with impunity.
I have a WQHD (3440x1440) main display with two old 1680x1050 panels mounted side by side above it. Even amongst those with three monitors my setup is quite unusual and thus would be incredibly useful as a fingerprint.
I see that it'll be gated behind a permission popup like many other modern browser features, but based on the number of clients I've had to clear ad networks out of their "Allow Notifications" lists for it's quite clear that a lot of people just hit "yes" to whatever they're prompted about.
I of course see the value to developers of complex web apps, but IMO this is the sort of thing that shouldn't actually happen in the browser itself. Make it exclusive to Electron or similar platforms that use a web browser style engine but can have additional capabilities beyond what's reasonable to expose to a plain old browser.
Sure, HP writes UWP application to harass you into buying more ink.
However a wide swath of firms develop on Mac for a Windows world, thus electron.
I have looked long and far for a good cross platform ui toolkit and I don't believe there is anything that comes close to the web platform.
That you happen to think of the web as being for this specific thing that you imagine is not a fair constraint. The web does not want to be excluded from becoming more, please stop placing it in the corner.
> The TL;DR is that we strongly value the feedback of real web developers (that means you!) during the process of designing and standardizing new features. We believe origin trials provide a good way of encouraging that feedback, while being extremely careful that the experiments aren’t used by sites in production-critical roles or as if they’re finalized features.