- From: Nick Doty <notifications@github.com>
- Date: Mon, 28 May 2018 14:45:51 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 28 May 2018 21:46:14 UTC
I don't think the third-party indication that it will make use of Client Hints is redundant even if the first party indicates that it trusts the third party to receive that data. The purpose of the opt-in request was for servers to indicate what data they will make use of (which improves transparency on practices like fingerprinting) and to only send the necessary data (data minimization). If a first party site just says, "all of my embedded parties are cool", that may not provide the user or researcher with much indication that the third party wants or needs the data. (Not sure we should call this "double-keying", as it's not like the case of cookies/storage that is different for different pairs of origins, but rather that data is transmitted only if both sides of the origin pair allow it. What do we call the practice of allow* attributes on iframes?) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/726#issuecomment-392607809
Received on Monday, 28 May 2018 21:46:14 UTC