- From: Luis Barguñó Jané <luisbargu@gmail.com>
- Date: Wed, 9 Aug 2017 09:00:26 +0200
- To: Lucas Pardue <Lucas.Pardue@bbc.co.uk>
- Cc: ietf-http-wg@w3.org
- Message-ID: <CAPA9heWB9rdKU3VSQwQYt993nHo1=WwxcUB0NfUK2Nt6Nd9x7g@mail.gmail.com>
Simplifying path seems like a good option, but not sure how non-top level requests that use the well known path could be prevented from getting location. Restricting to top level frames and only send header when the origin is visible to the user in the address bar seems even safer than the JS API approach. On 9 Aug. 2017 3:12 am, "Lucas Pardue" <Lucas.Pardue@bbc.co.uk> wrote: > Could you simplify the path aspects of this to perhaps address some of the > privacy concerns? > > I'm thinking, coin a new .well-known address for geolocation and restrict > UAs to only send request header there. This makes it harfer to proliferate > the header unintentionally. This is still subject to origin level agreement > and server asking for information. > > Lucas > ________________________________________ > From: Luis Barguñó Jané [luisbargu@gmail.com] > Sent: 08 August 2017 21:41 > To: Walter H. > Cc: ietf-http-wg@w3.org > Subject: Re: Geolocation header > > after the 3rd question you will allow it for the whole site, believe me ... > otherways the non existence of a serious use case is just proven ... > > The permission is per-origin, so no need for a 3rd question. The > permission is the same as the JS API. > > and the optimization you are talking about doesn't really make any sense, > when you are talking serious about the > problems you're raising ... > > > I'm still not sure I understand the tone of your replies, instead of a > constructive attitude. Regardless of the content we are discussing, I never > said what you mention "doesn't make any sense", even if I don't agree. > Because that goes beyond respect. > > I still think two roundtrips to one roundtrip makes sense, and probably > others who care about the internet agree. > > And back to the concern you have. See sentence in the document I sent: > "Consider: The Geolocation header MUST only be sent when the request is > for a page loaded in a top level frame." > > If we decide to include this, the scenario you are describing is just gone? > > > ----------------------------- > http://www.bbc.co.uk > This e-mail (and any attachments) is confidential and > may contain personal views which are not the views of the BBC unless > specifically stated. > If you have received it in > error, please delete it from your system. > Do not use, copy or disclose the > information in any way nor act in reliance on it and notify the sender > immediately. > Please note that the BBC monitors e-mails > sent or received. > Further communication will signify your consent to > this. > ----------------------------- >
Received on Wednesday, 9 August 2017 07:00:50 UTC