Remix.run Logo
sheept an hour ago

Any page can silently trigger an additional multi-gigabyte download for Chrome users by just calling this API:

    await LanguageModel.create()
Since the model is installed once per browser, LanguageModel.availability() could probably also be used for fingerprinting.
tantalor an hour ago | parent | next [-]

Indeed, you could even do something like this:

    await fetch("/multi-gigabyte-download");
It even works on non-Chrome browsers.
bstsb an hour ago | parent [-]

i think the point is that one actually burns disk space, while the other is just a nuisance for people on plans with limited data

gruez an hour ago | parent | next [-]

You can store up to 80% of free disk space with indexeddb

https://rxdb.info/articles/indexeddb-max-storage-limit.html

DennisAleynikov an hour ago | parent | prev [-]

using a browser is an easy way to burn disk space and limited data

light browsing is not a thing unless you somehow ensure javascript is disabled and all downloads are blocked

bri3d an hour ago | parent | prev [-]

Just the availability wouldn't be that bad from a fingerprinting standpoint (getting one bit that a majority of Chrome users have is just the same bits you already have, usually), except, it also exposes whether the underlying hardware is "eligible," and once it's running, you can also benchmark the language model performance. It's a mess. I think it might also be broken and work in iframes, which would be an even bigger mess; there are a few bug reports suggesting this although many of them look like slop.

This feature was massively bungled; I actually don't overall hate the idea of it (having a shared, pre-downloaded model that can run effectively from JS is kind of awesome versus sites downloading stuff into LocalStorage to use with hacked up wasm/webgl inference engines), but it really, really needed a permissions dialog and a proper anti-fingerprinting model.

tantalor an hour ago | parent [-]

> really needed a permissions dialog

Why?

bri3d an hour ago | parent [-]

Users with data caps are an obvious reason, for example, see this frustrated user report here: https://support.google.com/chrome/thread/415181794/chrome-al... .

To your point about `fetch` in the sibling comment; yes, I would also be annoyed by a website which downloaded 4GB in the background without asking me, too.

I don't think this is some moral outrage, to be clear; it's well within Google's rights, it doesn't seem "sketchy" at all, and it is kind of a cool feature, but it feels like they could have done a lot better by just making it opt-in and a little less fingerprintable.