- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Tue, 3 Jul 2018 13:50:53 +1000
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>, "Ludin, Stephen" <sludin@akamai.com>, Nick Sullivan <nick@cloudflare.com>
On Tue, Jul 3, 2018 at 12:34 PM Mark Nottingham <mnot@mnot.net> wrote: > > , are there some missing privacy considerations? > > Such as? It's only a request header. I suppose the CDN could put sensitive information in the payload if it wanted to, but that's no different from any other header field that allows extensibility, or unregistered fields. Did you have something else in mind? Yeah, it's not inherently bad, unless the CDN decides to make it so. A gentle admonishment to keep this to information that directly identifies the CDN would help. Failing that, any information the CDN adds should only be for its own consumption and it should therefore be constructed in a way that ensures that.
Received on Tuesday, 3 July 2018 03:51:27 UTC