Editor's Update on Client Hints

Below is the update Yoav Weiss provided for today's meeting - the same
update Mark read into the record. As discussed in person, the WG needs to
further discuss the scope and timing changes it represents (feel free to
use this thread).

Yoav, thanks for providing the update!

::::

This is a short update on the current status of Client-Hints:
* Accept-CH-Lifetime and the caching mechanism have pending PRs (Fetch#773
<https://github.com/whatwg/fetch/pull/773> and HTML#3774
<https://github.com/whatwg/html/pull/3774>) to integrate their processing
with the Fetch & HTML specifications.
* Client-Hints are now limited to same-origin and secure connections.
* There are plans <https://github.com/WICG/feature-policy/issues/129> to
use Feature Policy as an explicit delegation mechanism for pages to send
specific Client-Hints to certain third parties.
* There are exciting plans
<https://github.com/w3ctag/design-reviews/issues/320> to use Client-Hints
to *minimize* the fingerprinting surface that browsers currently expose.
* Since the list of headers keeps getting longer, we're contemplating
<https://github.com/httpwg/http-extensions/issues/716> using a `Sec-CH-`
prefix for them (or similar) in order to reduce the probability that some
server will misinterpret them, as well as reduce the administrative
complexity of adding those headers to the CORS safelist.
* Similarly to the way the `save-data` hint was removed from the IETF
draft, we're thinking of further removing the `DPR`, `Viewport-Width` and
`Width` hints to their own spec which is better integrated with Fetch and
HTML, in order to create better separation between the Client-Hints
mechanism and the features that use it.

Hope that clarifies things. Please let me know if you have any further
questions, or if you prefer me to post this update somewhere public.
Apologies for not sending it sooner.