Re: Migrating some high-entropy HTTP headers to Client Hints.

Hello Ilya,

On 2019/01/29 08:07, Ilya Grigorik wrote:

> Hi Martin.
> To echo what Mike highlighted before, I don't think we're suggesting that
> CH will eliminate fingerprinting. To your point, yes 3P providers will
> likely request that site owners grant access to these hints, but that in
> itself is already a significant step forward: hints are restricted to
> secure transports (significantly reduced fingerprinting surface area for
> unencrypted traffic); 1P must explicitly state what hints they want to
> receive (auditing); 1P must explicitly delegate permission to 3Ps (auditing
> and permission based access). Compare that to status quo today, where there
> are no signals on what data is being requested and used by whom, and most
> 1P's being entirely unaware of which 3P's are collecting what data from
> their users.
> CH is not a magic bullet but the constraints it introduces — I think —
> offer significant accountability and transparency improvements over status
> quo.

Thanks for the explanations. If something similar can go into the 
relevant draft, in a "Privacy Considerations" section if there is one, 
and if not as part of the "Security Considerations" section or in some 
other appropriate place, then that would be great.

Regards,   Martin.

> ig

Received on Tuesday, 29 January 2019 07:35:08 UTC