- From: Mark Nottingham <notifications@github.com>
- Date: Tue, 13 Nov 2018 15:06:11 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 13 November 2018 23:06:33 UTC
@mikewest you are a bad man. As always, this is going to be a judgement call. Given the take-up of other WebAppSec mechanisms, I would be concerned if this were included in every request; if it's not going to be used in the vast majority of cases, why send it? Possible mitigations: 1. Have the server opt into it. The usual mechanisms, usual problems. If only there were a metadata file that contained the server's preferences for browsers! 2. Split into multiple headers. If there are many permutations of the metadata sent by a browser over a single connection (and it appears there are), this could make the header compression more efficient. 3. Don't make the directives so verbose, while still trying to maintain readability. Don't go full `P3P`; nobody goes full `P3P`. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/280#issuecomment-438472647
Received on Tuesday, 13 November 2018 23:06:33 UTC