[w3ctag/design-reviews] Markup based Client Hints delegation for third-party content (Issue #702) from Ari Chivukula on 2021-12-20 (public-webapps-github@w3.org from December 2021)

From: Ari Chivukula <notifications@github.com>
Date: Mon, 20 Dec 2021 13:48:22 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/702@github.com>

Braw mornin' TAG!

I'm requesting a TAG review of markup based Client Hints delegation for third-party content.

This allows [permission policies](https://w3c.github.io/webappsec-permissions-policy/#serialization) (for only client hints) to be set on Accept-CH meta tags which include third party origins, which is useful for web developers who may not have easy access to modify HTTP headers (e.g., developers relying on embedding third-party code snippets). For example, to specify third party requests to `https://foo.bar` must include `sec-ch-ua-platform-version` you could include:

`<meta name="accept-ch" content="sec-ch-ua-platform-version=( https://foo.bar)">`

You may still omit the permission policy and rely on the [default allowlist](https://wicg.github.io/client-hints-infrastructure/#policy-controlled-features) as follows:

`<meta name="accept-ch" content="sec-ch-ua-platform-version">`

Note that this is the equivalent of the following today:

`<meta http-equiv="accept-ch" content="sec-ch-ua-platform-version">`

The reason we’re moving from `http-equiv` to `name` is that this new syntax isn’t supported in the HTTP header `accept-ch` field. The syntax to delegate client hints to third parties will be unique to the `name`d meta tag.

- Explainer: https://docs.google.com/document/d/1U3P9yvaT1NXG_qRmY3Lp6Me7M5kTnd3QrBb1yFUVNNk/edit

- Specification URL: https://wicg.github.io/client-hints-infrastructure/#accept-ch-state-algo

- Tests:
  - https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/client_hints/client_hints_browsertest.cc (see test names starting with `DelegateTo`).
  - WPT https://github.com/web-platform-tests/wpt/pull/32142

- Security and Privacy self-review: https://github.com/WICG/client-hints-infrastructure/blob/main/tag-security-privacy-third-party-delegation.md

- GitHub repo (if you prefer feedback filed there): https://github.com/WICG/client-hints-infrastructure

- Primary contacts (and their relationship to the specification):
  - Ari Chivukula (@arichiv - editor)
  - Yoav Weiss (@yoavweiss - TL)
  - Mike Taylor (@miketaylr - TM)
- Organization(s)/project(s) driving the specification: Chromium
- Key pieces of existing multi-stakeholder review or discussion of this specification:
  - Mozilla’s position: https://github.com/mozilla/standards-positions/issues/596

  - User-Agent Client Hints & UA Reduction TAG Review: https://github.com/w3ctag/design-reviews/issues/640

- External status/issue trackers for this specification (publicly visible, e.g. Chrome Status):
  - https://crbug.com/1219359

  - https://www.chromestatus.com/features/5684289032159232 

Further details:
I have reviewed the TAG's [Web Platform Design Principles](https://w3ctag.github.io/design-principles/)
The group where the work on this specification is currently being done: WICG
The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue): W3C or WHATWG
Major unresolved issues with or opposition to this specification: N/A
This work is being funded by: Google

We'd prefer the TAG provide feedback as (please delete all but the desired option):

  🐛 open issues in our GitHub repo for **each point of feedback**


-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/702

You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/702@github.com>

Received on Monday, 20 December 2021 21:48:35 UTC