继 Chrome 94 引入空闲检测 API 后,Google 在 Chrome 97 中再次引入争议 API —— Keyboard MAP API。
Chrome 96 是 2021 年的最后一个主要稳定版本,于 2021 年 11 月 16 日发布。虽说 Chrome 浏览器已切换为每四周更新一次的更新周期,但由于过去几周时间全球许多国家和地区都处于假期期间,Chrome 97 的发布因此被推迟到了今年,Chrome 97 已于今天正式推出。
Following the introduction of the idle detection API in Chrome 94, Google once again introduced the controversial API-Keyboard MAP API in Chrome 97.
Chrome 96 is the last major stable version in 2021, released on November 16, 2021. Although the Chrome browser has switched to an update cycle that is updated every four weeks, the release of Chrome 97 has been postponed to this year due to the holiday period in many countries and regions around the world in the past few weeks. Chrome 97 has been officially launched today.
The new version of the Chrome browser introduced a controversial keyboard mapping API (Keyboard MAP API). The API cannot be used by web applications because it cannot be used in iframes. Web applications such as the web version of Microsoft Office that require a lot of user input cannot use this API to detect keystrokes on the keyboard layout.
The keyboard layout will change depending on the country/region and the main language used (for example, the German keyboard will reverse the "Z" and "Y" letters; Spanish has 27 letters, so there will be an extra "ñ" on the keyboard. ”Button). Now that this new API is introduced in Chrome 97, web applications can use this feature to obtain the user’s keyboard layout, and to further track and identify users, especially for the following two situations to be more accurately identified and tracked:
Users who use unusual keyboard layouts
Users whose keyboard layout is inconsistent with the default layout in their region.
Google’s official explanation for the implementation of this feature is as follows:
GetLayoutMap() is used in conjunction with the code to solve the problem of identifying actual keys on keyboards with different layout mappings (such as English and French keyboards), but because getLayoutMap() is not available in all cases (cannot be used in iframes) ), so Office Web applications such as Excel, Word, PowerPoint, etc. running in an iframe cannot use this API. Adding Keyboard-MAP to the list of allowed attributes can solve this problem.
Although the status page of the feature shows that Web developers are very supportive of it, developers such as Apple, Mozilla, and Brave have expressed concerns. A key argument against these companies is that websites can use this API to track user privacy.
Apple published a response on GitHub stating:
From a privacy point of view, the Keyboard MAP API is unacceptable. Therefore, Apple's WebKit team is not interested in implementing this feature currently proposed.
Brave said:
Brave inherits the implementation of Chrome’s Keyboard MAP API, but does not provide users with any functionality.
Mozilla added the Keyboard MAP API to the list of harmful APIs and stated that it would not implement the API in the Firefox browser.
Although many browsers today are based on Chromium, as long as they do not implement the API or disable the API, they can prevent websites from maliciously using this feature to track user privacy. Another thing worth noting is that the function page shows that the owner of the API is from Microsoft.
新版本的 Chrome 浏览器推出了一个有争议的键盘映射 API(Keyboard MAP API)。该 API 此前因为不能在 iframes 内使用,所以不能被网络应用所调用。诸如网页版微软 Office 之类需要用户大量输入内容的网络应用在此之前是不能利用该 API 来检测键盘布局上的按键。
键盘布局会因国家/地区,以及主要使用的语言不同而发生变化(例如:德语键盘会将 “Z” 与 “Y” 字母对调;西班牙语由于有 27 个字母,因此键盘上会多一个 “ñ” 按键)。如今在 Chrome 97 中引入这个新的 API 使得网络应用可以使用这一功能,从而获得用户的键盘布局,进一步跟踪和识别用户,尤其是针对以下这两种情况能够更加准确识别和追踪:
使用不常见的键盘布局的用户
使用的键盘布局与所在地区的默认布局不一致的用户。
Google 官方对该功能实现原因的解释如下:
getLayoutMap() 与代码结合使用,解决了识别不同布局映射的键盘(如:英语与法语键盘)上的实际按键的问题,但由于 getLayoutMap() 并不是在所有情况下都可用(不能在 iframe 内使用),所以像 Excel、Word、PowerPoint 等在 iframe 内运行的 Office Web 应用程序不能使用这个 API。将 Keyboard-MAP 添加到允许属性列表中可以解决这个问题。
虽然该功能的状态页面显示 Web 开发者对此十分支持,但苹果、Mozilla 和 Brave 等开发商对此表示了担忧。这些公司反对的一个关键论点是,网站可以利用这个 API 来追踪用户隐私。
苹果在 GitHub 上发表了一份回应称:
从隐私的角度来看,Keyboard MAP API 是不可接受的。因此,苹果公司的 WebKit 团队对实现目前提出的这一功能不感兴趣。
Brave 则表示:
Brave 继承了 Chrome 的 Keyboard MAP API 的实现,但并不向用户提供任何功能。
Mozilla 则是将 Keyboard MAP API 添加到了有害 API 列表中,并表示不会在 Firefox 浏览器中实施该 API。
虽说如今有很多浏览器都基于 Chromium,但只要他们不实施该 API 或禁用该 API 就能够阻止网站恶意使用这个功能追踪用户隐私。另一个值得留意的是,功能页面显示该 API 的所有者来自微软。
