Skip to content

Define privacy-preserving rendering #12554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
foolip wants to merge 1 commit into
base: main
Choose a base branch
from
+36 −0
Open

Define privacy-preserving rendering #12554

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions source
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151602,6 +151602,9 @@ legend[align=right i] {
<code>video</code> element, as defined by the relevant rendering rules; for WebVTT, those are the
<span>rules for updating the display of WebVTT text tracks</span>. <ref>WEBVTT</ref></p>

<p>In <span>privacy-preserving rendering</span>, subtitles and captions are <span>expected</span>

@annevk annevk Jun 9, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"During" instead of "In" seems more natural. What do you think?

@foolip foolip Jun 10, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that's better, I'll change it.

to be rendered with default appearance that ignores any user preferences.</p>

@annevk annevk Jun 9, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this means the website ends up violating the law in certain jurisdictions, we might want to have a warning here or alongside the eventual feature that uses this. Or maybe we should not support media elements given that we cannot make them accessible?

@foolip foolip Jun 10, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other option would be to respect the user settings and say that it's better on balance to leak these settings than for video to be impossible with HTML-in-Canvas. What's your preference?

@annevk annevk Jun 10, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We cannot leak these settings. They would allow for unique fingerprints in many cases of an already vulnerable population.


<p>When the user agent starts <span data-x="expose a user interface to the user">exposing a user
interface</span> for a <code>video</code> element, the user agent should run the <span>rules for
updating the text track rendering</span> of each of the <span data-x="text track">text
Expand Down Expand Up @@ -153312,6 +153315,10 @@ select {
elements in their user interface, as discussed <a
href="#providing-users-with-a-means-to-follow-hyperlinks-created-using-the-link-element">previously</a>.</p>

<p>In <span>privacy-preserving rendering</span>, user agents are <span>expected</span> to act as
if the <code data-x="selector-visited">:visited</code> <span>pseudo-class</span> does not
match.</p>




Expand Down Expand Up @@ -153550,6 +153557,35 @@ if (s = prompt('What is your name?')) {



<h3>Privacy-preserving rendering</h3>

<p>In <dfn export>privacy-preserving rendering</dfn>, any security- or privacy-sensitive
information that isn't otherwise observable to author code are omitted or replaced with safe
defaults. The detailed requirements are in the relevant sections above.</p>

<p>In <span>privacy-preserving rendering</span>, the user agent is expected to:</p>

@annevk annevk Jun 9, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we want to say "expected" here again. Maybe just drop this paragraph?


<h4>Summary</h4>

<!-- NON-NORMATIVE SECTION -->

<p>The following table summarizes how <span>privacy-preserving rendering</span> affects various
elements and features when they are rendered:</p>

<table>
<thead>
<tr>
<th>Category
<th>Expected behavior
<tbody>
<tr>
<td><code>a</code> and <code>area</code> elements
<td>The <code data-x="selector-visited">:visited</code> <span>pseudo-class</span> never matches.
<tr>
<td><span data-x="media element">Media elements</span>
<td>Subtitles and captionss use default appearance, ignoring any user preferences.
</table>


<h2 split-filename="obsolete" id="obsolete">Obsolete features</h2>

Expand Down
Loading