- From: Yoav Weiss <notifications@github.com>
- Date: Tue, 29 May 2018 02:03:01 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 29 May 2018 09:03:27 UTC
@npdoty Thanks for the feedback! The thing that is important to understand about third-party opt-in is that it will add an extra RTT to the time in which such third party get the required Client-Hints. In practice, it may mean that for the first page load, Client Hints will not be in effect, which is strictly worse than what we have today. I understand that this will adds some transparency to the CH-based fingerprinting, but couldn't we treat the first-party opt-in to the same purpose? After all, third party accepting CH does not mean that it uses them for fingerprinting. > If a first party site just says, "all of my embedded parties are cool", that may not provide the user or researcher with much indication that the third party wants or needs the data. Maybe we can limit that by banning "*" as a viable `allow_list_value` in the related Feature-Policy. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/726#issuecomment-392705396
Received on Tuesday, 29 May 2018 09:03:27 UTC