Privacy: limits on the number of layers?
jyasskin opened this issue · comments
Does the UA's hardware impose any limits on the number of layers that can be composed at once? If so, does that limit expose information about which hardware the person owns, that they might consider private?
If so, please document that in the privacy considerations, and then think about what UAs could do to avoid exposing it.
The spec currently doesn't impose a minimum or maximum number of supported layers.
The amount of layer "pixels" depends on a lot of factors such as the system configuration and the load on the system from other browser pages and other apps.
Layers use the same underlying mechanism as WebGL to allocate GPU memory so it will have identical privacy considerations (as far as determining the system goes)
- By not defining what happens if the page adds too many layers (or pixels), the spec appears to require an infinite number.
- The privacy considerations ought describe how layer-counting through this spec reveals no more information than WebGL memory allocation, and probably how any future privacy-related limits/quantization on WebGL memory allocation would propagate back into this spec.
- By not defining what happens if the page adds too many layers (or pixels), the spec appears to require an infinite number.
That is correct and in line with other specifications. (For instance, the WebXR specification doesn't say how many XRWebGLLayers can be created.)
- The privacy considerations ought describe how layer-counting through this spec reveals no more information than WebGL memory allocation, and probably how any future privacy-related limits/quantization on WebGL memory allocation would propagate back into this spec.
I can add some wording to the spec to describe the former, but I don't know how I could do the latter.
@jyasskin, do you have a suggestion how can tie the layers spec to future changes of WebGL?
Something in the spec should probably say that all memory for layers is allocated through a mechanism equivalent to <the WebGL concept you were referring to>, and then the privacy considerations can say that UAs can put limits on that concept to reduce the identifiability of the user's GPU hardware.