[Webkit-unassigned] [Bug 161227] New: Consider not revealing screen dimensions or browser window position to webpages

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Aug 25 21:49:18 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=161227

            Bug ID: 161227
           Summary: Consider not revealing screen dimensions or browser
                    window position to webpages
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: CSS
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: webkit at chrisrebert.com

Steps to reproduce the problem:
1. Open Safari on macOS.
2. Move Safari's window down a bit and to the right a bit.
3. Open the JavaScript console.
4. Evaluate the following JavaScript expressions in the console:
    window.screenX
    window.screenY
    window.screen.height
    window.screen.availHeight
    window.innerHeight

What is the expected behavior?
window.screenX and window.screenY should equal 0.
window.screen.availHeight, window.screen.height, and window.innerHeight should
all have the same value.

What went wrong?
window.screenX and window.screenY have non-zero values.
window.screen.availHeight is less than window.screen.height by the sum of the heights of the toolbars+menubar+etc.
window.screen.height is equal to the height of the user's physical screen.


Details:
Like other browsers, Safari currently exposes (directly or via trivial calculations) the following information via CSSOM:
* The dimensions of the user's physical screen.
* The location of the browser's window within the screen.
* The total size of the menubars/chrome.

IMHO, webpages have no business knowing these things. Only the size of the browser's viewport ought to be relevant to them.
I have been unable to come up with any good technical reason they would need to know these things.
All that comes to mind is one novelty popup-based JezzBall implementation,
and popups are a UI paradigm which is strongly discouraged at this point anyway.

(The size of the screen is relevant in Fullscreen Mode, but in that case the viewport becomes
identical to the screen, so again, only the viewport is necessary.)

This information exposes unnecessary fingerprinting vectors, which can degrade user privacy.

The CSSOM specification has been recently updated to allow browsers to plug these privacy holes:
https://github.com/w3c/csswg-drafts/commit/dc36ecd7a46b173f958dafa736a84eb9753afb7b

It would thus be nice if Safari switched to the more privacy-conscious versions of the relevant newly-defined CSSOM terms.

This roughly amounts to pretending, for the purposes of the APIs in question, that the physical screen
exactly consists of just the viewport and that there's no chrome/toolbars.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160826/43677db9/attachment.html>

More information about the webkit-unassigned mailing list