Re: [whatwg/fetch] Check Feature Policy before attaching Client Hints (#811)

igrigorik commented on this pull request.



> @@ -2813,8 +2821,15 @@ the request.
          <dd>a suitable <a href=http://httpwg.org/http-extensions/client-hints.html#width>width value</a>
         </dl>
 
-       <li><p>A user agent should <a for="header list">append</a>
-       <var>hintName</var>/<var>value</var> to <var>request</var>'s <a for=request>header list</a>.
+       <li><p>If the result of running
+       <a href="https://wicg.github.io/feature-policy/#should-request-be-allowed-to-use-feature">Should
+       <var>request</var> be allowed to use <var>feature</var>?</a>,
+       given <var>request</var> and <var>hintName</var>’s
+       <a href="http://httpwg.org/http-extensions/client-hints.html#opt-in-via-feature-policy">associated
+       policy-controlled feature</a>, returns <code>true</code>, the user agent should
+       <a for="header list">append</a> <var>hintName</var>/<var>value</var> to <var>request</var>'s
+       <a for=request>header list</a>.
+       [[!FEATURE-POLICY]] [[!CLIENT-HINTS]]

Some existing plumbing that we need to refactor:
- https://fetch.spec.whatwg.org/#client-hints-list

- Fetching steps 6+7: https://fetch.spec.whatwg.org/#fetching


I think the behavior we want here is..

1. We need to define the Accept-CH opt-in processing in HTML spec
1. For nav request, update Fetch to reference (1) instead of current "client hints tokens" ref to IETF spec
1. For subresources, execute algorithm defined in FP, checking for delegation

@eeeps @annevk WDYT, does that make sense?


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/811#pullrequestreview-160096074

Received on Saturday, 29 September 2018 23:12:56 UTC