-
Notifications
You must be signed in to change notification settings - Fork 90
Adversarial attack. #38
Comments
Thanks for opening the issue Arthur.
We're only looking at top-level navigations, so this won't impact FLoC.
Interesting. I think we can mitigate this by only including navigations which were created due to a user gesture.
Should be solved by the above.
If we were to incorporate page content into the FLoC clustering algorithm, I don't think it would update over the life of the page. It'd likely be snapshotted sometime shortly after the page load. That said, we would need to be careful that the context that is fed to the algorithm is the same content that the user sees for reasons like you say here. |
+1 to gating floc inclusion on navigation that had user activation, though I am not sure how that will affect performance. This is a similar mechanism as scroll-to-text fragment (https://web.dev/text-fragments/#security) |
+1 for considering only the navigations initiated by the user. |
On a related note, it seems useful for the explainer to clearly outline the kinds of information that can influence the FLoC:
I realize it's difficult to answer this because we may not know this in advance, but this is crucial for the security/privacy model because it influences what kind of information could potentially be exposed via the FLoC. |
What will prevent a malicious website from abusing FLOC and force users into arbitrary cohort?
Some ideas:
w = window.open(); w.resizeTo(w,h); w.moveTo(x,y)
. Then make them navigate many times, once the popup is put into the background.It would worth documenting was is put in place for preventing this in practise.
+@arturjanc FYI.
The text was updated successfully, but these errors were encountered: