Merge pull request #177 from miketaylr/issues/144/2

Issue #144 - Add fingerprinting to Security & Privacy considerations section
WICG · Dec 21, 2020 · 5bca6e8 · 5bca6e8
2 parents 0edcf9d + 59e4f5a
commit 5bca6e8
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -458,7 +458,7 @@ We hope that alternative methods or APIs will exist to address the
 spam filtering and bot detection use cases in the future, as browsers may decide
 to intervene on behalf of their users by limiting the collection of
 user-identifying entropy (e.g., the
-[Privacy Budget](https://github.com/bslassey/privacy-budget proposal).
+[Privacy Budget](https://github.com/bslassey/privacy-budget) proposal).
 
 ### Persistent user tracking
 This is a case of fingerprinting that this proposal *explicitly tries to make

diff --git a/index.bs b/index.bs
@@ -491,12 +491,22 @@ of a given agent's behavior over time.
 Delegation {#delegation}
 ----------
 
-Client Hints will be delegated from top-level pages via Feature Policy. This reduces the likelihood that [=user agent=]
+Client Hints will be delegated from top-level pages via Permissions Policy. This reduces the likelihood that [=user agent=]
 information will be delivered along with subresource requests, which reduces the potential for
 passive fingerprinting.
 
 That delegation is defined as part of [=append client hints to request=].
 
+Fingerprinting {#fingerprinting}
+--------------
+
+The primary goal of User Agent Client Hints is to reduce the default entropy
+available to the network for passive fingerprinting. However, it will still be possible
+for some, or all, hints to be requested and used for active fingerprinting purposes by
+first or delegated third parties. As noted in [[#access]], [=User agents=] should consider
+policies to restrict or reduce access to parties that are known to actively
+fingerprint their users.
+
 Access Restrictions {#access}
 -------------------