Skip to content

[media-5] Add more discussion of fingerprinting risks with prefers-*, per #12282 #12318

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jun 17, 2025
Merged

[media-5] Add more discussion of fingerprinting risks with prefers-*, per #12282 #12318

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9aacebe
[Mediaqueries] Add more fingerprinting information.
schenney-chromium Jun 11, 2025
30be3d2
Fix typos
schenney-chromium Jun 11, 2025
2f2ad81
Expand the disscussion
schenney-chromium Jun 16, 2025
205d620
Cleanup post review
schenney-chromium Jun 16, 2025
File filter

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 36 additions & 19 deletions mediaqueries-5/Overview.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,21 +148,6 @@ Units</h3>
Note that this will also take into account additional restrictions the user might apply,
such as minimum font sizes.

<h3 id='mq-prefers-security'>
Prefers-* Media Features Security and Privacy</h3>

<div class=issue>
Information about a user can be used as an active fingerprinting vector.
Analysis of impact pending, more information to be provided before spec
is published.

User agents and developers implementing this
specification need to be aware of this vector and take it
into consideration when deciding whether to use the feature.
Specifically `prefers-reduced-motion`, `prefers-color-scheme`, `prefers-reduced-transparency` and
`prefers-reduced-data` are currently of concern for exploitation.
</div>

<!--
██ ██ ███████
███ ███ ██ ██
Expand Down Expand Up @@ -3692,9 +3677,39 @@ Appendix B: Privacy Considerations</h2>

Issue: this section is <a href="https://github.com/w3c/csswg-drafts/issues?q=is%3Aopen+is%3Aissue+label%3Amediaqueries-5+label%3Aprivacy-tracker">incomplete</a>

The 'prefers-reduced-data' media feature
may be an undesired source of fingerprinting,
with a bias towards low income with limited data.
Many media features enable fingerprinting of users
based on the display and interaction characteristics of their device:

* <a href="#mf-colors">Colors</a>: {{color}}, {{color-index}}, {{monochrome}}, {{color-gamut}} and {{dynamic-range}}
* <a href="#mf-viewport-characteristics>Viewport characteristics</a>: {{aspect-ratio}}, {{orientation}},
{{horizontal-viewport-segments}} and
{{vertical-viewport-segments}}
* <a href="#mf-display-quality">Display quality</a>: {{resolution}}, {{scan}}, {{grid}}, {{update}} and {{environment-blending}}
* <a href="#interaction">Interaction devices</a>: {{pointer}}, {{hover}}, {{any-pointer}} and {{any-hover}}.

The {{environment-blending}} feature is of particular concern
because it suggests <em>where</em> a user may be located,
and is likely present in a small set of devices.
Uncommon device properties are stronger fingerprinting features
because they help segment devices into smaller sets.

Media features that reflect operating system preferences are a fingerprinting risk
because such preferences are correlated with characteristics of the user themselves:

* The {{prefers-reduced-data}} media feature may be correlated with low income and limited data.
* The {{prefers-reduced-motion}}, {{prefers-color-scheme}}, {{prefers-reduced-transparency}},
{{forced-colors}} and {{inverted-colors}} queries reflect affordances for a range of special needs.

Properties dependent on one of the above media queries may be accessed by script:

* Colors and other property values may be directly accessed through computed style,
though user agents may elect to return constants for some colors
(see, for example, <a href="https://drafts.csswg.org/css-color-4/#css-system-colors">CSS Color 4</a>).
* Layout affecting properties (such as font size) influence lengths, positions and sizes available to script.

User agents may disable these media features when users have expressed sensitivity to tracking.
Alternatively, user agents may limit the combination of features within a single page
to reduce the fingerprinting power of the page.

The {{PreferenceManager}} object allows querying some user-preference [=media features=]. This
is not a privacy leak, as that information is already trivially
Expand All @@ -3715,7 +3730,7 @@ Appendix B: Privacy Considerations</h2>

Issue: this section is <a href="https://github.com/w3c/csswg-drafts/issues?q=is%3Aopen+is%3Aissue+label%3Amediaqueries-5+label%3Asecurity-tracker+">incomplete</a>

The 'display-mode' media feature allows an origin
The {{display-mode}} media feature allows an origin
access to aspects of a user’s local computing environment and,
particularly when used together with an [=application manifest=] [=manifest/display=] member [[APPMANIFEST]],
allows an origin some measure of control over a user agent’s native UI.
Expand Down Expand Up @@ -3745,6 +3760,7 @@ the following changes and additions were made to this module since the
* Establish a normative reference for [[Display-P3]]
* Disallow use of ''layer'' as a media type, rather than merely treat it as an unknown one, for compatibility with [=cascade layers=].
* Clarify intent of 'prefers-reduced-motion'
* Added further discussion of fingerprinting vectors

<h3 id="changes-since-2020-07-31"
oldids="video-width, descdef-media-video-width, video-height, descdef-media-video-height, video-resolution, descdef-media-video-resolution">
Expand Down Expand Up @@ -3908,6 +3924,7 @@ Comments from
Sigurd Lerstad,
Simon Kissane,
Simon Pieters,
Stephen Chenney,
Steven Pemberton,
Susan Lesch,
Tantek Çelik,
Expand Down