Re: Request-Off-The-Record Mode header

What would be the requirements on a Proxy?

I'm assuming an origin server would log the requests as normal, but a proxy
might be in a different administrative domain.  Proxies have no user to ask.

Should this header only be used with end-to-end secure connections?








On Mon, 12 Jun 2023 at 08:46, Shivan Kaul Sahib <shivankaulsahib@gmail.com>
wrote:

>
>
> On Sun, 11 Jun 2023 at 17:04, Ángel <angel@16bits.net> wrote:
>
>> On 2023-06-08 at 14:51 -0700, David Schinazi wrote:
>> > This sounds very useful for the domestic violence resources use case,
>> > but at the same time I could imagine malware websites abusing it to
>> > erase traces of how a machine got infected. Would it be possible to
>> > get user consent per origin for this?
>> > David
>>
>> You shouldn't be able to *store* such user content (as that would spoil
>> the intent), but I like the idea of an origin popping up a browser
>> request asking whether to treat it as an Incognito/Private, rather than
>> the website "knowing better than the user" and bypassing the browser
>> features by its own volition.
>>
>> While not mentioned explicitly in the initial message, this already
>> seems to be the way the feature works in Brave.
>>
>
> Right! The default mode is Ask, which means the user will get prompted for
> consent if the website requests Off-The-Record mode. The user can also set
> it to be Allow or Deny in settings or from the prompt.
>
>>
>>
>> Shivan, it would be interesting if you could share a website or test
>> domain for which that feature is enabled in your browser.
>>
>
> It would be any of the websites at
> https://github.com/brave/adblock-lists/blob/master/brave-lists/request-otr.json,
> one example is https://www.loveisrespect.org/. These should work on Brave
> Nightly.
>


-- 
Greg Wilkins <gregw@webtide.com> CTO http://webtide.com