Hi everyone,
We're designing an API to address the use case of feature detecting
scenarios where the interesting information is either not available to the
application because it doesn't have enough permissions, or that it doesn't
have direct access to the information it needs to query. (The proposal is
posted to the dev-webapi list here: <
https://groups.google.com/forum/#!forum/mozilla.dev.webapi> and will be
available under a thread named "A proposal for a feature detection API"
when the google archives are refreshed.)
Most of this information can be indirectly inferred from the information
exposed in the UA string. An example of this is APIs designed to tell you
whether the platform supports a given API if the app has the required
privileges, with the goal of enabling Market Place to avoid offering apps
which will not work on the device.
But there are two specific cases where we might end up exposing additional
fingerprinting bits which is what I would like to feedback on from the
Privacy team.
1. Exposing the amount of available memory on the device. This is a
requirement for the Tarako device. The issue here is that the Tarako
device ships with 128MiB of memory which makes it unable to run some of the
apps that are in the Market Place because the app process would OOM if the
app was loaded on the device. In order for the Market Place app to be able
to avoid offering those types of apps to our users, it needs to know the
amount of memory available on the device.
Right now my proposal does the simple thing of returning the amount of
available memory as the number of mebibytes, like this:
navigator.getFeature("hardware.memory").then(function(mem) {
if (mem == 128) {
// We're running on a 128MiB device
}
});
This information will probably be directly correlated with other
information which is currently exposed, such as the device's screen size,
so I'm not sure if this is an actual one unique bit of new information.
Our current use case includes detecting extremely low memory environments,
so we might get away with exposing coarser grained information such as
"lowmem" and "highmem", but there are some games right now which will not
start up on a 256MiB device, and I can only imagine that this problem will
keep recurring with higher amounts of device memory in the future so it
would be nice if we keep that use case in mind while we think about this.
2. Exposing whether the platform supports APIs which rely on hardware
capabilities.
For things such as the Bluetooth API, we need to know whether or not the
underlying hardware capability to support the API exists, in addition to
whether or not the API to expose that functionality exists. While the
existence of the API can be derived from the UA string, the existence of
the hardware is not directly exposed today. So for example, a web page can
run code like:
navigator.getFeature("api.navigator.mozBluetooth").then(function(available)
{
if (available) {
// This device has bluetooth hardware inside it
} else {
// This device either doesn't have bluetooth hardware, or the API for
that doesn't exist
});
The existence of these kinds of hardware are also directly correlated with
other bits that are already exposed such as the screen size. For example,
one could look at the screen size, and if it's small, determine that you're
running a phone, which probably has bluetooth hardware on it. The other
case to consider is the else branch above, which tells you that
navigator.mozBluetooth will not be available either because the API is not
supported (for example if you're running on Firefox desktop) or that the
hardware is not available.
I'd really appreciate to have the Privacy team's feedback on the above two
issues. About the first issue, please note that we're running on a tight
deadline and we need to have a solution implemented and ready to be shipped
in about three weeks, so please prioritize the first issue.
Cheers,
--
Ehsan
<http://ehsanakhgari.org/>
_______________________________________________
dev-privacy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-privacy
