Summary: window.outerHeight/outerWidth are legacy properties that report the size of the outer window of the browser. By subtracting against innerHeight/innerWidth it exposes the size of the user's browser chrome which can be unique depending on customization, but at the least reveals non-standardized information that can be used for fingerprinting purposes.
I have a hard time figuring out how a website would use it for (legitimate|reasonable) rendering purposes. I discussed it with Anne and we'd like to neuter it and see if we can remove this fingerprintable information if possible. Tor Browser (and RFP mode) has reported the values of innerHeight/innerWidth for outerHeight/outerWidth for a long time and I haven't seen or heard of any breakage caused as a result of that. (We'll also need to spoof window.screenX and window.screenY as window.mozInnerScreenX and window.mozInnerScreenY respectively.) Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1579584 Standard: https://www.w3.org/TR/cssom-view-1/#dom-window-outerwidth Platform coverage: All, although TBH I don't know how this behaves on Android... Preference: Yes, this will be controlled by a preference that I'll flip for Nightly for now and watch for reports of breakage. DevTools bug: n/a Other browsers: I haven't proposed this to any other browsers. web-platform-tests: I don't believe any WPT actually test for the correct value here. Secure contexts: This will be applicable everywhere I considered adding telemetry for the properties; but reading them doesn't imply websites are relying on them for anything. -tom _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
