Re: Migrating some high-entropy HTTP headers to Client Hints. from Mark Nottingham on 2018-12-02 (ietf-http-wg@w3.org from October to December 2018)

From: Mark Nottingham <mnot@mnot.net>
Date: Sun, 2 Dec 2018 14:48:27 +1100
To: Yoav Weiss <yoav@yoav.ws>, Ilya Grigorik <igrigorik@google.com>
Cc: Mike West <mkwst@google.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <EF037FEC-0B9C-4E9C-B20C-FBABC2FB1761@mnot.net>
Speaking personally --

I could see splitting out the various task-specific bits into separate documents (e.g., images).

However, it's not good to ship a framework like this without having it actually working for a real-world use case, so even if we split out all of the various CHs into separate docs, I think we'd need to hold the "main" document until at least one of those is ready.

Just a thought -- replacing User-Agent is probably suitable for that test case (in addition to the image-focused stuff, or perhaps instead of it). If we do decide to do that, it might be suitable to put it in the core document, since that seems like it's pretty central to what's going on here (the current claims in the document about not replacing UA notwithstanding).

Chair hat on -- what I did notice was that when the update for CH was read in Bangkok, *many* WG participants expressed surprise at the direction you were taking it in; most people seemed to think that this document was almost done in its current form, and there was concern that forming WG consensus on that was being disregarded. So whatever you do here, please make sure you get buy-in on the list, and make sure you coordinate with the chairs. Continuing this discussion and moving towards a common idea of what the doc(s) should include, when we should ship them, etc. sounds like a good start.

Cheers,


> On 30 Nov 2018, at 9:10 pm, Yoav Weiss <yoav@yoav.ws> wrote:
> 
> 
> 
> On Fri, Nov 30, 2018 at 9:47 AM Mike West <mkwst@google.com> wrote:
> On Fri, Nov 30, 2018 at 1:30 AM Mark Nottingham <mnot@mnot.net> wrote:
> I, for one, welcome our new Client Hint overlords.
> 
> Personally, I'd like to see these integrated into the current CH document, rather than as separate drafts. CH still needs some work, so it's not like we're going to get it out the door tomorrow.
> 
> On my list, I want to remove the specific image-related features and move them to their own specification, with a well defined browser processing model.
> Anything else that's needed to get CH infra "out the door tomorrow"? :)
>  
> 
> These hints seem pretty clearly separable from the infrastructure upon which they're built. I'd prefer to split them out into things-in-themselves that we can point developers towards independently, giving ourselves the opportunity to explain the rationale and background more coherently than I think we'll be able to if we bury these in a subsection of the larger document.
> 
> Similarly, I'd prefer clear distinctions between "CH as infrastructure" and "Features that use the CH infrastructure".
> We've had a lot of confusion and resistance to "CH the infrastructure" due to some of the features that rely on it, and clearly separating the two will enable implementations and user-agents to say "I support the CH infrastructure, and certain features relying on it, but not feature X".
> 
> From a procedural perspective, we wouldn't want every added feature to delay "CH as infrastructure" to advance.
>   
> 
> I'll defer to the group as to how y'all would like to handle these, but I'd prefer several short and focused docs as a reader.
> 
> -mike
> 
> However, it seems like Ilya wants to go in a different direction, based upon the notes we received for Bangkok.
> 
> Ilya, your thoughts?
> 
> 
> 
> > On 29 Nov 2018, at 9:22 pm, Mike West <mkwst@google.com> wrote:
> > 
> > Hey folks,
> > 
> > Section 9.7 of RFC7231 rightly notes that some of the content negotiation headers user agents deliver in HTTP requests create substantial fingerprinting surface. I think it would be beneficial if we took steps to reduce their prevalence on the wire, and Client Hints looks like a reasonable infrastructure on top of which to build.
> > 
> > `User-Agent` and `Accept-Language` seem like particularly tasty and low-hanging fruit, and I've sketched out two proposals as proofs of concept:
> > 
> > *   `User-Agent` could be represented as ~four distinct hints: `UA`, `Model`, `Platform`, and `Arch`: https://github.com/mikewest/ua-client-hints is a high-level explainer, and https://tools.ietf.org/html/draft-west-ua-client-hints a sketchy ID for the new headers.
> > 
> > *   `Accept-Language` could be represented as a `Lang` hint: https://github.com/mikewest/lang-client-hint is a high-level explainer, https://tools.ietf.org/html/draft-west-lang-client-hint an equally sketchy ID for the new header.
> > 
> > I'd appreciate y'all's feedback. Thanks!
> > 
> > -mike
> 
> --
> Mark Nottingham   https://www.mnot.net/
> 

--
Mark Nottingham   https://www.mnot.net/
Received on Sunday, 2 December 2018 03:49:18 UTC