Consider not revealing screen dimensions or browser window position to webpages
Reported by
cvreb...@gmail.com,
Aug 26 2016
|
||||||||
Issue description
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Steps to reproduce the problem:
1. Open Chrome in a desktop OS.
2. Move Chrome's window down a bit and to the right a bit.
3. Open the Console in Chrome DevTools.
4. Evaluate the following JavaScript expressions in the Console:
window.screenX
window.screenY
window.screen.height
window.screen.availHeight
window.innerHeight
What is the expected behavior?
window.screenX and window.screenY should equal 0.
window.screen.availHeight, window.screen.height, and window.innerHeight should
all have the same value.
What went wrong?
window.screenX and window.screenY have non-zero values.
window.screen.availHeight is less than window.screen.height by the sum of the heights of the toolbars+taskbars+etc.
window.screen.height is equal to the height of the user's physical screen.
Did this work before? N/A
Chrome version: 52.0.2743.116 Channel: stable
OS Version: OS X 10.11.6
Flash Version: Shockwave Flash 22.0 r0
Chrome currently exposes (directly or via trivial calculations) the following information via CSSOM:
* The dimensions of the user's physical screen.
* The location of the browser's window within the screen.
* The total size of the OS's taskbars/menubars/toolbars.
IMHO, webpages have no business knowing these things. Only the size of the browser's viewport ought to be relevant to them.
I have been unable to come up with any good technical reason they would need to know these things.
All that comes to mind is one novelty popup-based JezzBall implementation, and popups are a UI paradigm which
is strongly discouraged at this point anyway.
(The size of the screen is relevant in Fullscreen Mode, but in that case the viewport becomes identical to the screen,
so again, only the viewport is necessary.)
This information exposes unnecessary fingerprinting vectors, which can degrade user privacy.
The CSSOM specification has been recently updated to allow browsers to plug these privacy holes:
https://github.com/w3c/csswg-drafts/commit/dc36ecd7a46b173f958dafa736a84eb9753afb7b
It would thus be nice if Chrome switched to the more privacy-conscious versions of the relevant newly-defined CSSOM terms.
This roughly amounts to pretending, for the purposes of the APIs in question, that the physical screen
exactly consists of just the viewport and that there's no chrome/toolbars.
,
Aug 26 2016
,
Aug 26 2016
I put Blink>Input becuase input-dev-related people have been working on viewport issues. Is there a better component?
,
Sep 1 2016
,
Sep 1 2016
,
Sep 1 2016
While I agree in principle but I think we'd need to be careful. Screen coordinates are sometimes used for things like gesture detection and eye tracking; there are some niche use cases that we can't break. It looks like window.screenX|Y are used on ~3% of page loads (https://www.chromestatus.com/metrics/feature/popularity) so this change has the potential to affect a large number of pages. I'll leave it open on input-dev but I don't see us prioritizing this any time soon unless there's an urgent, concrete reason.
,
Sep 2 2016
I did a quick query with BigQuery: SELECT url FROM [httparchive:har.2016_08_01_chrome_requests_bodies] WHERE body CONTAINS 'window.screenX' GROUP BY url ORDER BY url LIMIT 2000 It looks like the vast majority of uses contributing to the 3% are pop-up / pop-under ad libraries. The next popular users are "crayon-syntax-highlighter" (a Word Press plugin) and a library for federated logins with social networks (oneall.com, also doing popups).
,
Sep 2 2016
Yah, I suspect we could probably do it without causing much havoc. I just checked Firefox and they still return the actual screen values too; I'm guessing other browsers do as well. If this does happen, I'd like to see other vendors at least commit to doing it too.
,
Sep 2 2016
See also: * https://bugs.webkit.org/show_bug.cgi?id=161227 * https://twitter.com/smfr/status/769006160602988545 * https://bugzilla.mozilla.org/show_bug.cgi?id=1298116 > Screen coordinates are sometimes used for things like gesture detection and eye tracking Are either of those Web-exposed though?
,
Aug 28 2017
,
Aug 28
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 30
I agree with bokan@ that this feature seems reasonable as long as we don't break a huge amount of usecases. Reporter are there any other similar privacy related fields that we need to take care of and you might know?
,
Aug 31
For CSSOM View, the only additional relevant fields I'm aware of are:
MouseEvent.screen{X,Y}
though I don't claim expertise in this area.
The CSSOM View spec unfortunately lacks a "Privacy & Security Considerations" section currently,
which could offer more guidance here. Adding such a section falls within https://github.com/w3c/csswg-drafts/issues/207
The suggested changes also have implications for
https://drafts.csswg.org/cssom-view/#the-features-argument-to-the-open()-method
but that's more a matter of making the more-private model of these fields work consistently.
I'm not aware of open() itself leaking any screen/window info.
So to recap, all the known-relevant fields are:
window.screen{X,Y}
MouseEvent.screen{X,Y}
window.screen.{width,height}
window.screen.avail{Width,Height}
,
Yesterday
(35 hours ago)
Issue 356113 has been merged into this issue. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by karandeepb@chromium.org
, Aug 26 2016Status: Untriaged (was: Unconfirmed)