I'm always a proponent of rooting for the underdog. But, in this scenario I am finding it hard to justify doing so. Beeper isn't doing this for some mystical enthusiasm for hacking and exploiting or sticking it to the man. It's motives are purely incentivized by profit which makes it hard to for me to root for. If this were a small time hobbyist providing a solution for an existing problem, sure I'm all game for that.

Sorry, i'm a little lost. I tried thinking about it, but I can't think of any nefarious attacks someone could do with screenX/Y. Why is that such a risk? What could they possibly learn from that other than screen size?

The fingerprinting potential may well be limited, but it's the principle of the thing: The browser should not provide unnecessary information about its surroundings.

It would be another matter if this was a very useful feature, but I don't think that it is.

Here's one use for it: Ads could sense that they are off-screen and withhold content until the ad is moved back in view. I could easily see screenX/Y being used for that. I mean, I hope not, but how am I going to stop it?

knowing where the window is, you can generate something the user will click on a known position and then at the right time you trigger something like an administrator escalation privilege confirmation dialog and the user clicks that instead.

click jacking is always fun.

Because fingerprinting. Shit like this is the reason you are supposed to use the Tor browser only with a tiny window.

> you are supposed to use the Tor browser only with a tiny window

I hadn't ever heard of this. Here is a statement from the Tor project for anyone else wondering what this is about:

> We automatically resize new browser windows to a 200x100 pixel multiple based on desktop resolution which is provided by a Firefox patch. To minimize the effect of the long tail of large monitor sizes, we also cap the window size at 1000 pixels in each direction. In addition to that we set privacy.resistFingerprinting to true to use the client content window size for window.screen, and to report a window.devicePixelRatio of 1.0. Similarly, we use that preference to return content window relative points for DOM events. We also force popups to open in new tabs to avoid full-screen popups inferring information about the browser resolution. In addition, we prevent auto-maximizing on browser start, and inform users that maximized windows are detrimental to privacy in this mode

Fingerprinting by screen size is real. I've checked one day, and it turned out my browser viewport size when maximized is super unique (like <0.1% users unique). That's mostly because I use sidebery (tabs on the left instead of the top) and don't have a (visible by default) bookmarks tab, but wow I didn't expect to be so obvious for advertisers by just reading my page-usable screen size.