| CARVIEW |
Select Language
HTTP/2 200
date: Wed, 08 Oct 2025 03:54:36 GMT
content-type: text/html; charset=utf-8
cache-control: max-age=0, private, must-revalidate
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com github.githubassets.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com marketplace-screenshots.githubusercontent.com/ copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
link: ; rel=preload; as=fetch; crossorigin=use-credentials
referrer-policy: no-referrer-when-downgrade
server-timing: issue_layout-fragment;desc="issue_layout fragment";dur=204.669392,issue_conversation_content-fragment;desc="issue_conversation_content fragment";dur=985.846009,nginx;desc="NGINX";dur=1.343788,glb;desc="GLB";dur=151.185847
strict-transport-security: max-age=31536000; includeSubdomains; preload
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With, Accept,Accept-Encoding, Accept, X-Requested-With
x-content-type-options: nosniff
x-frame-options: deny
x-voltron-version: 266d7a9
x-xss-protection: 0
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=ztlJCi2osf9mCB%2FqXEYY%2Fbt2osetlKaNzsIC7JHn4RhnEuiSDOCao%2FYKWaZS2VZJ514ICCQ%2B%2FKMN5u0VzNVsVFHBV9xoFmA9T6C5grSnX54pevZ7qLUA%2BMdgQQEMRDNKc1kRmsl4p%2BOHbsLpLChsfOMLJQ0wldCwXB5qJXcriAtXOR4OwK%2FLzaaNy8lDBpGib6K0hFiBkitBXsOiF1iNssMy6tlOSJM%2BID8Wi4CT1ug8qSTSJwd3oYjGp1uvfqmKDtXUZZE1lQoksAUmHZ0KaQ%3D%3D--Pc8xCPYwcljOeLqj--DLnTnA5HI5BXv8eincbmgA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.1783754870.1759895674; Path=/; Domain=github.com; Expires=Thu, 08 Oct 2026 03:54:34 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Thu, 08 Oct 2026 03:54:34 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: 8188:1C5F84:1E8764:2CDE89:68E5E07A
Information Exposure and Fingerprintability · Issue #1872 · w3c/epub-specs · GitHub
No one assignedNo typeNo projectsNo milestoneNone yetNo branches or pull requests
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 64
Closed
Labels
EPUB33Issues fixed in the EPUB 3.3 revisionIssues fixed in the EPUB 3.3 revisionSpec-EPUB3The issue affects the core EPUB 3.X RecommendationThe issue affects the core EPUB 3.X Recommendationprivacy-needs-resolutionIssue the Privacy Group has raised and looks for a response on.Issue the Privacy Group has raised and looks for a response on.
Description
From the PING review:
What data on user device is revealed and what is the risk of fingerprintability?
This spec appears to define a reading system user agent string
epubReadingSystem. Is there still anavigator.userAgentor similar? Is this a replacement or a duplication of that feature? There is also ongoing work to limit or deprecate user agent strings on the Web platform -- to make it an explicit opt-in rather than always disclosed in great detail. At the very least, we need to recommend that user agent strings have entropy that is strictly limited as necessary for debugging and compatibility. And it should be noted thatepubReadingSystemreveals information about how the reader is reading the book, potentially back to the author/publisher of the book, unless scripting is more strictly limited.
As every EPUB is considered a separate origin, the threat model here is: can an author/publisher of multiple ebooks learn from these configuration characteristics that the same user is reading both of them? And on information disclosure (perhaps because the ebook publisher already knows the exact customer who purchased that particular copy of that book), does the publisher learn something about the customer's devices or software choices?
Metadata
Metadata
Assignees
Labels
EPUB33Issues fixed in the EPUB 3.3 revisionIssues fixed in the EPUB 3.3 revisionSpec-EPUB3The issue affects the core EPUB 3.X RecommendationThe issue affects the core EPUB 3.X Recommendationprivacy-needs-resolutionIssue the Privacy Group has raised and looks for a response on.Issue the Privacy Group has raised and looks for a response on.
Type
Projects
Milestone
Relationships
Development
Issue actions
You can’t perform that action at this time.