[w3ctag/design-reviews] Client Hint Reliability mechanisms (#549) from Aaron Tagliaboschi on 2020-08-19 (public-webapps-github@w3.org from August 2020)

From: Aaron Tagliaboschi <notifications@github.com>
Date: Wed, 19 Aug 2020 10:22:28 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/549@github.com>

Hullo TAG!

I'm requesting a TAG review of Client Hint reliability mechanisms.

[HTTP Client Hints](https://httpwg.org/http-extensions/client-hints.html) can replace passive fingerprinting surfaces with server-requested (and [potentially deniable](https://github.com/bslassey/privacy-budget)) client headers. However, there’s no current way to guarantee the hints would be available to the server, for cases where they can materially impact the response sent. On the first page load, the client may not know to send any hints at all. The client may also have out-of-date information on the server preferences when it sends a request. The explainer below describes a pair of mechanisms to fix this:

1. an HTTP-header-based retry to ensure critical Client Hints are reliably available
2. a connection-level optimization to avoid the performance hit of a retry in most cases

- Explainer¹ (minimally containing user needs and example code): https://github.com/WICG/client-hints-infrastructure/blob/master/reliability.md

- Security and Privacy self-review²: Security and privacy are covered for [client hints](https://httpwg.org/http-extensions/client-hints.html#security-considerations). The reliability mechanisms don’t add any significant new information to be accessed, and don’t change who can access that information.
- Primary contacts (and their relationship to the specification):
- Aaron Tagliaboschi (@amtunlimited) Google
- Yoav Weiss (@yoavweiss) Google
- Organization/project driving the design: Google

Further details:

- [x] I have reviewed the TAG's [API Design Principles](https://w3ctag.github.io/design-principles/)

You should also know that...

This will help address one of the main areas of concern brought up by developers, namely that they wanted some hints available on first navigation request, and that the logic behind a retry would be needlessly complex and fraught with possible pitfalls if implemented on the server side.

We'd prefer the TAG provide feedback as (please delete all but the desired option):

💬 leave review feedback as a **comment in this issue** and @-notify @amtunlimited, @yoavweiss

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/549

Received on Wednesday, 19 August 2020 17:22:41 UTC