Refine definition of fingerprinting to exclude entropy behind a prompt?

[jasonanovak]

In 1.1, fingerprinting is defined as

In short, browser fingerprinting is the capability of a site to identify or re-identify a visiting user, user agent or device via configuration settings or other observable characteristics.

In practice, browser developers (and PING) seem to consider prompting as a mitigation for fingerprinting. As a result, it seems like it would be worthwhile to add some notion of “passively without user interaction” or “without prompting or alerting the user” to the definition of fingerprinting.

[npdoty]

As noted in #21, I'm not sure we should change the definition, but I do think there's an important mitigation to be highlighted here.

[jyasskin]

FWIW, I think it's still a problem if users who grant an innocuous-looking permission prompt wind up accidentally giving a site access to a permanent identifier for their installation. So 👍 on treating the prompt as a severity reduction rather than excluding the entropy entirely