Selectively exposing the API could be a fingerprinting vector
Closed this issue · 3 comments
The spec states:
User agents that never display application badges SHOULD NOT expose the {{NavigatorBadge/setAppBadge()}} and {{NavigatorBadge/clearAppBadge()}} methods.
This implies that the API is only ever revealed for installed web applications. That, in turn, reveals if the user has installed the web application*.
It might be better to consider always exposing this API and making it a no-op. Chrome already behaves likes this, for instance.
*there are other ways that a third-party could figure out if a web application is installed (e.g., through checking the "display-mode" media feature, thought that doesn't 100% assure the application is "installed"). However, this exacerbates the problem.
Another case in point is that even setAppBadge() is exposed, user preferences might dictate that setAppBadge() is a no-op because they don't wish to see number indicators for that (or any) installed application. This is how Notification Center works on macOs and iOS. Android seems to provide similar functionality.
The current text could be misinterpreted that the API shouldn't be exposed if the user has set a preference to not show badges (as "it never displays badges").
This implies that the API is only ever revealed for installed web applications
My interpretation of that line is different - it sounds to me like User Agents in which don't support application badges at all (i.e. Firefox Desktop, Chrome Android) should not expose the API, rather than saying the API shouldn't be present if it isn't going to do anything. At least, that's how I interpreted it when I was implementing it in Chromium. Could definitely be clearer though :)
I think it was intended as feature detection for This browser can show badges
Ok, let's stick with the current wording.