Re: Roman Danyliw's No Objection on draft-ietf-httpbis-client-hints-14: (with COMMENT) from Yoav Weiss on 2020-06-17 (ietf-http-wg@w3.org from April to June 2020)

From: Yoav Weiss <yoav@yoav.ws>
Date: Wed, 17 Jun 2020 10:45:57 +0200
To: Roman Danyliw <rdd@cert.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-client-hints@ietf.org, httpbis-chairs@ietf.org, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, Mark Nottingham <mnot@mnot.net>
Message-ID: <CACj=BEgKrqGXWNuMGZZWq7221=bnPSm2zw6xiKpu=J8MbdSKeg@mail.gmail.com>

Thanks for reviewing! Apologies for the delayed reply... :/

On Tue, May 19, 2020 at 8:52 PM Roman Danyliw via Datatracker <
noreply@ietf.org> wrote:

> Roman Danyliw has entered the following ballot position for
> draft-ietf-httpbis-client-hints-14: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-httpbis-client-hints/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> ** Section 4.1.  Per “Therefore, features relying on this document to
> define
> Client Hint headers MUST NOT provide new information that is otherwise not
> available to the application via other means, such as existing request
> headers,
> HTML, CSS, or JavaScript”, would this text allow for a shift in
> permissiveness
> if the references specs changed?  For example, if something was not
> permissible
> in Javascript/HTML/CSS “vX” today, but it was in “vX+1”, would that mean
> that
> additional data could be sent as hints?  I’m exploring the value of
> assigning
> version numbers to HTML, CSS and Javascript to freeze the security
> assumptions.
>

The underlying assumption is that data exposed in CSS/JS/HTML and Client
Hints is generally equivalent.
If we were to somehow version and  freeze security assumptions for the
former, we'd need to do the same regarding the latter.

> ** Section 4.1.  Per “User agents need to consider the value provided by a
> particular feature vs these considerations, and MAY have different policies
> regarding that tradeoff on a per-feature basis”, IMO more is needed to
> handle
> these tradeoffs.  User agent implementations SHOULD expose this policy
> creation
> process through a rich set of configuration/tuning options and with an API
> to
> enable privacy-minded, third party software to assist the user in making
> choices.
>

I'm not sure that this is something this document needs to try and enforce.
Different user agents have varying broad philosophies regarding the privacy
tradeoffs of varying features (beyond Client Hints related ones), the
user's ability to make an informed decision on that front, and regarding
enabling third party software to intervene in those decisions. Those
philosophies are not likely to change.

> ** Section 4.1. Per “Implementers SHOULD restrict delivery of some or all
> Client Hints header fields to the opt-in origin only, unless the opt-in
> origin
> has explicitly delegated permission to another origin to request Client
> Hints
> header fields”, how does this delegation happen?
>

For browsers, that happens using Feature Policy
<https://github.com/WICG/client-hints-infrastructure#cross-origin-hint-delegation>
(processing model
<https://wicg.github.io/client-hints-infrastructure/#request-processing>).

Received on Wednesday, 17 June 2020 08:46:27 UTC