W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: "privacy-sensitive" context (was: Comments on the HTTP Sec-From Header (draft-abarth-origin))

From: Bil Corry <bil@corry.biz>
Date: Tue, 14 Jul 2009 23:11:26 -0500
Message-ID: <4A5D56EE.9090706@corry.biz>
To: =JeffH <Jeff.Hodges@KingsMountain.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>
=JeffH wrote on 7/14/2009 10:35 PM: 
> I scrawled..
>>
>> 7. Section 5 -- "privacy-sensitive" context is undefined. It is
> implicitly
>> vaguely defined in sec 7. Also, assuming a definition exists, how does
> some
>> given UA "know" whether it is "in" a privacy-sensitive context ?
> 
> ..but I hadn't yet read this thread over on public-webapps@..
> 
> 
> Denoting privacy-sensitive requests (was: Re: Do we need to rename the
> Origin header?)
> http://www.mail-archive.com/public-webapps@w3.org/msg04198.html
> 
> 
> which discusses this notion. Basically, draft-abarth-origin is intended
> to be profiled by other specs, e.g. HTML5, and it is (intended that)
> within such higher-level context that the "privacy-sensitive" notion
> will be materialized.

Yes, and the latest is that Adam Barth will separately define "privacy-sensitive" for HTML5, at which point Ian Hickson will add it to the HTML5 draft:

	http://www.mail-archive.com/public-webapps@w3.org/msg04367.html


I had an outstanding question whether HTML5 would allow an author to override the default choices for "privacy-sensitive" requests, but Ian yesterday indicated that no such support would be added to HTML5 (but maybe in the future):

	http://www.mail-archive.com/public-webapps@w3.org/msg04360.html


Jonas Sicking does an excellent job here explaining why "privacy-sensitive" is tricky, because it's based on the context of the request:

	http://www.mail-archive.com/public-webapps@w3.org/msg04001.html


So given that identical requests may be "privacy-sensitive" based entirely on context, and given that only the site itself understands the context, and given that HTML5 will not provide a way for the author to denote the context, we're left with Adam's default definition which may or may not be appropriate for any given request.


- Bil
Received on Wednesday, 15 July 2009 04:12:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:07 GMT