deviceId and Clear-Site-Data #836
Comments
|
gUM is designed to recognize deviceIds an app may have stored in cookies or localStorage, so once both |
|
We already have language on deviceId: Since deviceId may persist across browsing sessions and to reduce its potential as a fingerprinting mechanism, deviceId is to be treated as other persistent storage mechanisms such as cookies [COOKIES], in that User Agents MUST NOT persist device identifiers for sites that are blocked from using cookies, and User Agents MUST rotate per-origin device identifiers when other persistent storage are cleared. So the question is if "other persistent storage are cleared" covers the Clear-Site-Data header. If it does, it's an implementation bug. |
|
I don't think "other persistent storage are cleared" has a precise definition, which is part of what we need to address. |
|
I guess we could either refer to https://w3c.github.io/webappsec-clear-site-data/#abstract-opdef-clear-dom-accessible-storage-for-origin et al. |
|
See also #675 |
|
FWIW, Chrome is implementing rotating device IDs with |
The spec requires that
One of the mechanisms that exist to clear persistent storage is the
Clear-Site-Dataheader.As far as I can tell, neither Chrome nor Firefox rotate
deviceIdwhen they encounter that header - I have a test that shows it for thecookiesvalue of the header, but I've verified that it remains true for*. (Safari doesn't implement that header).I think it would be useful to confirm or infirm whether
Clear-Site-Datais expected to impactdeviceIdrotation (I would argue the current wording implies that it is expected), and if so, to specify under what bucket of the header (I could imagine eithercookiesorstorage).The text was updated successfully, but these errors were encountered: