Re: [w3ctag/design-reviews] Subresource prefetching+loading via Signed HTTP Exchange (#352) from Tsuyoshi Horo on 2019-09-11 (public-webapps-github@w3.org from September 2019)

From: Tsuyoshi Horo <notifications@github.com>
Date: Wed, 11 Sep 2019 01:26:46 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/352/530277503@github.com>

During the spec discussion, we focused on how to prevent user tracking.
As described at [Security and Privacy Considerations](https://github.com/horo-t/subresource-signed-exchange/blob/master/signed-exchange-subresource-subtitution-explainer.md#security-and-privacy-considerations), this feature only exposes 1 bit information because UAs can use the cached signed exchange only if the required signed exchanges are all available.


I'd like the TAG to check if following sound reasonable:
 - The overall use-case / considerations we've made for privacy.
 - Iintroducing a new rel=allowed-alt-sxg link header.
   This new "allowed-alt-sxg" link header is only for signed exchange.
 - Extending the usage of the existing rel=alternate link header.
   The alternate link headers are already widely used for several use cases.

Let me also share our current status in Chromium. 
We have implemented in Chromium, and we are planing to start Origin Trial soon.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/352#issuecomment-530277503

Received on Wednesday, 11 September 2019 08:27:08 UTC