- From: Bil Corry <bil@corry.biz>
- Date: Tue, 14 Jul 2009 23:11:26 -0500
- To: =JeffH <Jeff.Hodges@KingsMountain.com>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
=JeffH wrote on 7/14/2009 10:35 PM: > I scrawled.. >> >> 7. Section 5 -- "privacy-sensitive" context is undefined. It is > implicitly >> vaguely defined in sec 7. Also, assuming a definition exists, how does > some >> given UA "know" whether it is "in" a privacy-sensitive context ? > > ..but I hadn't yet read this thread over on public-webapps@.. > > > Denoting privacy-sensitive requests (was: Re: Do we need to rename the > Origin header?) > http://www.mail-archive.com/public-webapps@w3.org/msg04198.html > > > which discusses this notion. Basically, draft-abarth-origin is intended > to be profiled by other specs, e.g. HTML5, and it is (intended that) > within such higher-level context that the "privacy-sensitive" notion > will be materialized. Yes, and the latest is that Adam Barth will separately define "privacy-sensitive" for HTML5, at which point Ian Hickson will add it to the HTML5 draft: http://www.mail-archive.com/public-webapps@w3.org/msg04367.html I had an outstanding question whether HTML5 would allow an author to override the default choices for "privacy-sensitive" requests, but Ian yesterday indicated that no such support would be added to HTML5 (but maybe in the future): http://www.mail-archive.com/public-webapps@w3.org/msg04360.html Jonas Sicking does an excellent job here explaining why "privacy-sensitive" is tricky, because it's based on the context of the request: http://www.mail-archive.com/public-webapps@w3.org/msg04001.html So given that identical requests may be "privacy-sensitive" based entirely on context, and given that only the site itself understands the context, and given that HTML5 will not provide a way for the author to denote the context, we're left with Adam's default definition which may or may not be appropriate for any given request. - Bil
Received on Wednesday, 15 July 2009 04:12:27 UTC