[w3ctag/design-reviews] Migrating some high-entropy HTTP request headers to Client Hints. (#320) from Mike West on 2018-11-05 (public-webapps-github@w3.org from November 2018)

From: Mike West <notifications@github.com>
Date: Mon, 05 Nov 2018 03:09:37 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/320@github.com>

Guten TAG!

I'm requesting a TAG review of the general concept of migrating high-entropy HTTP request headers to the Client Hints infrastructure. I have two concrete proposals that I think make sense, but they make the most sense together as part of a broader story about reducing the passive fingerprinting surface available to both network attackers and servers.

-   Explainer, Requirements Doc, or Example code:
    *  https://github.com/mikewest/ua-client-hints suggests that we split `User-Agent` into `UA`, `UA-Platform`, `UA-Arch`, and `UA-Model` Client Hints.
    *  https://github.com/mikewest/lang-client-hint suggests that we turn `Accept-Language` into a `Lang` Client Hint.

  - Primary contacts: @mikewest, @thiemonagel

Further details (optional):

  - Relevant time constraints or deadlines: [please provide]
  - [X] I am passingly familiar with the [Self-Review Questionnare on Security and Privacy](https://www.w3.org/TR/security-privacy-questionnaire/).
  - [X] I have reviewed the TAG's [API Design Principles](https://w3ctag.github.io/design-principles/)

You should also know that there's some active disagreement about the value of Client Hints generally. We had a number of discussions on the topic at TPAC, and I hope I'm not overstating things to suggest that there was some level of agreement that the _infrastructure_ of Client Hints might be a reasonable one to support, even in the face of substantial disagreement about the _specific hints_ that the infrastructure might support.

We'd prefer the TAG provide feedback as (please select one):

  - [ ] open issues in our Github repo for each point of feedback
  - [ ] open a single issue in our Github repo for the entire review
  - [X] leave review feedback as a comment in this issue and @-notify [github usernames]

Thanks folks! You're still my favorite architectural review body in the W3C!

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/320

Received on Monday, 5 November 2018 11:09:59 UTC