Re: [w3ctag/design-reviews] hrefTranslate attribute (#301) from L. David Baron on 2019-11-26 (public-webapps-github@w3.org from November 2019)

From: L. David Baron <notifications@github.com>
Date: Tue, 26 Nov 2019 14:42:33 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/301/558849066@github.com>

We discussed this in our teleconference today.  Based on the discussion we had two weeks ago, we were expecting to see somewhat more change to the explainer.  I think a number of TAG members were inclined to close this again as "unsatisfied", but I wanted to say explicitly that we were expecting a bit more change to the explainer so that you had another chance to revise it in response to that feedback.

Currently, the explainer seem to be internally inconsistent on a number of points:
* whether `hrefTranslate` is a hint to the user-agent or a command that the site can expect to be reliably followed
* whether the translation done by a browser implementing `hrefTranslate` must be client-side, or might instead be server side.  (I think this is mainly that the sentence "Note that this translation service could be server-side or client-side, depending on which is available." disagrees with the opposite point made in a number of other places in the explainer.)

We were also hoping to see a little bit more explanation in the "Privacy Considerations" section of the explainer, which is currently three sentences.  It seems worth explaining what some of the issues that people might be worried about are and where this proposal does or doesn't have issues that are worth thinking about.  For example, translation generally has the issue that the user has to trust the translation service with their browsing history.  But beyond that, it seems worth comparing the privacy characteristics of browser-mediated ("client-side") translation (where there's less direct transfer of information from one website to another, but where the website the user is visiting can probably figure out by looking at the DOM or layout results that this user in particular has translated the page to a particular language) with the privacy characteristics of server-mediated translation (where the origin model is broken and the referring site directly invokes the translation service by its URL, but the translated page probably then knows less about the user).  I think there was a good bit more discussed when we talked about this two weeks ago, and I don't remember all the details, but I do recall that our conclusion then was that the explainer could say a bit more about the privacy and security considerations to make it clear how the relevant issues had (or hadn't) been considered.

Along similar lines, it also feels worth expanding on the statement that there will be a permission prompt, with a clearer explanation of what it is that the browser needs to ask permission for, and why user consent is needed.

I think it also may be worth expanding on the ecosystem concerns that I raised in the first part of https://github.com/w3ctag/design-reviews/issues/301#issuecomment-553180605 .

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/301#issuecomment-558849066

Received on Tuesday, 26 November 2019 22:42:36 UTC