Re: "privacy-sensitive" context (was: Comments on the HTTP Sec-From Header (draft-abarth-origin))

=JeffH wrote on 7/14/2009 10:35 PM: 
> I scrawled..
>> 7. Section 5 -- "privacy-sensitive" context is undefined. It is
> implicitly
>> vaguely defined in sec 7. Also, assuming a definition exists, how does
> some
>> given UA "know" whether it is "in" a privacy-sensitive context ?
> ..but I hadn't yet read this thread over on public-webapps@..
> Denoting privacy-sensitive requests (was: Re: Do we need to rename the
> Origin header?)
> which discusses this notion. Basically, draft-abarth-origin is intended
> to be profiled by other specs, e.g. HTML5, and it is (intended that)
> within such higher-level context that the "privacy-sensitive" notion
> will be materialized.

Yes, and the latest is that Adam Barth will separately define "privacy-sensitive" for HTML5, at which point Ian Hickson will add it to the HTML5 draft:

I had an outstanding question whether HTML5 would allow an author to override the default choices for "privacy-sensitive" requests, but Ian yesterday indicated that no such support would be added to HTML5 (but maybe in the future):

Jonas Sicking does an excellent job here explaining why "privacy-sensitive" is tricky, because it's based on the context of the request:

So given that identical requests may be "privacy-sensitive" based entirely on context, and given that only the site itself understands the context, and given that HTML5 will not provide a way for the author to denote the context, we're left with Adam's default definition which may or may not be appropriate for any given request.

- Bil

Received on Wednesday, 15 July 2009 04:12:27 UTC