Re: Geolocation header from Luis Barguñó Jané on 2017-08-22 (ietf-http-wg@w3.org from July to September 2017)

From: Luis Barguñó Jané <luisbargu@gmail.com>
Date: Tue, 22 Aug 2017 16:12:26 +0200
To: Ilya Grigorik <igrigorik@gmail.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CAPA9heVtQtX8P4TTAiXdPZEhfXum6JT0k9s2PRDGWRvg_oyfqA@mail.gmail.com>

Thanks Ilya,

I think it would make perfect sense re-using CH machinery for this, keeping
things simple to implement and still guaranteeing sites only get
geolocation information when permissions are granted and for requests that
need it. So to summarize:

- CH provides a mechanism to only send geolocation to origins that
explicitly accept it (Accept-CH), and its lifetime (Accept-CH-Lifetime).
- UA would only send Geolocation header if the origin had permission
already granted.
- Permission can only be obtained through JS Geolocation API. Geolocation
headers are only used as a transport mechanism.
- Suborigins <https://w3c.github.io/webappsec-suborigins/> would provide
path-based origins if/when adopted. In the meantime, sites can use
subdomains (e.g. newyork.restaurants.com would not send Accept-CH for
Geolocation, but local.restaurants.com would send Accept-CH for
Geolocation, so only the latest would ever get Geolocation header, when
permissions are already granted).
- Geolocation header would be restricted to only navigation requests.

I'll update the draft with these considerations.

On Fri, Aug 18, 2017 at 8:56 PM, Ilya Grigorik <igrigorik@gmail.com> wrote:

> Hey all.
>
> On Wed, Aug 2, 2017 at 7:05 AM, Luis Barguñó Jané <luisbargu@gmail.com>
>  wrote:
>>
>> After an initial thread on GitHub
>> <https://github.com/httpwg/http-extensions/issues/364>, I decided to
>> start here the discussion so it goes through the proper channels.
>> Here you can find a document detailing the problem and a possible proposal
>> <https://docs.google.com/document/d/1zL4qyOpp6W36H4_eMpmth3Yj_ZTMZ3wCupc01q5qatA/edit>
>>
> After a bit of discussion, it looks like Client Hints (CH)
>> <https://tools.ietf.org/html/draft-ietf-httpbis-client-hints-04> would
>> be a great way to solve this use case, so I'm preparing a draft for a
>> CH-based approach.
>>
>
> As discussed on the GH thread — and I think others echoed same suggestion
> on this thread — I think we should drop the header-based ("type") prompt
> trigger: it's not essential and, based on experience, a bad UX pattern.
> That aside, there's path..
>
> We've looked at path scoping for CH in the past, but the tradeoff between
> functionality that it enables vs. associated implementation complexity and
> (lack of) enforcement is — IMO — not worth it -- e.g. nothing stops a site
> from scoping to "/", which I would expect most sites to do anyway, just as
> they do today with cookies. My recommendation here would be..
>
> 1. Use default origin scoped opt-in that CH provides
> 2. If/when suborigins proposal [1] becomes a thing, it'll allow #1 to be
> path-scoped in a "generic" way.
> 3. Optionally, in addition to #1 + #2, this particular hint could be
> restricted to navigation requests only; which would provide a much stricter
> (and UA enforceable) policy.
>
> ig
>
> [1] https://w3c.github.io/webappsec-suborigins/
>

Received on Tuesday, 22 August 2017 14:12:51 UTC