- From: Yoav Weiss <notifications@github.com>
- Date: Thu, 24 May 2018 04:11:04 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/726/391676446@github.com>
I started working on the "CH opt-in" cache part at https://github.com/whatwg/fetch/pull/729, but following an [IRC discussion](https://freenode.logbot.info/whatwg/20180522#c1556544) with @annevk I'm now wondering what's the right way forward. The above PR adds that infrastructure to Fetch, but it was suggested that HTML might be a more appropriate place. Among other considerations, it depends if the response header handling is limited to navigation responses (which are also [handled in HTML](https://html.spec.whatwg.org/#process-a-navigate-response)) or also cover subresource responses (handled only in Fetch AFAICT). Talking to @igrigorik, the use case for handling the `Accept-CH-Lifetime` headers on subresources is to enable [double-keying them](https://github.com/httpwg/http-extensions/issues/372#issuecomment-350803441) for hints sent to third party resources, for improved privacy protections. However, with the upcoming Feature Policy [client hints opt-in to specific hosts](https://github.com/WICG/feature-policy/issues/129), I'm not sure double keying is still necessary from a privacy perspective. Opinions? /cc @arturjanc @tarunban -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/726#issuecomment-391676446
Received on Thursday, 24 May 2018 11:11:27 UTC