| ▲ | sheept an hour ago | ||||||||||||||||||||||
Any page can silently trigger an additional multi-gigabyte download for Chrome users by just calling this API:
Since the model is installed once per browser, LanguageModel.availability() could probably also be used for fingerprinting. | |||||||||||||||||||||||
| ▲ | tantalor an hour ago | parent | next [-] | ||||||||||||||||||||||
Indeed, you could even do something like this:
It even works on non-Chrome browsers. | |||||||||||||||||||||||
| |||||||||||||||||||||||
| ▲ | bri3d an hour ago | parent | prev [-] | ||||||||||||||||||||||
Just the availability wouldn't be that bad from a fingerprinting standpoint (getting one bit that a majority of Chrome users have is just the same bits you already have, usually), except, it also exposes whether the underlying hardware is "eligible," and once it's running, you can also benchmark the language model performance. It's a mess. I think it might also be broken and work in iframes, which would be an even bigger mess; there are a few bug reports suggesting this although many of them look like slop. This feature was massively bungled; I actually don't overall hate the idea of it (having a shared, pre-downloaded model that can run effectively from JS is kind of awesome versus sites downloading stuff into LocalStorage to use with hacked up wasm/webgl inference engines), but it really, really needed a permissions dialog and a proper anti-fingerprinting model. | |||||||||||||||||||||||
| |||||||||||||||||||||||