- From: Yves Lafon <notifications@github.com>
- Date: Mon, 21 Feb 2022 01:57:21 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 21 February 2022 09:57:35 UTC
I have an issue with using `http-equiv` to describe what should be on another server, first because doing assertion on behalf of another origin or even URL is not safe in general, but also because it leads to "rotting" configuration. If the targeted server `foo.bar.example.com` at some point no longer need `ch-ua-platform-version` or need something else on top of it, you need to update your page, which is unlikely to happen. As it is linked to permissions, it would be better (but CSP experts might disagree) to have this as a csp and expect that if it is set, then the third-party server will need CH. If the goal is to bootstrap the use of Client-Hints to save one round trip for third party content, then there are solutions like caching the state of the need of client-hints, it won't solve the first hit issue, but will do later on, or else, use another pragma name, but this will suffer the same issue of "rotting configuration". -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/702#issuecomment-1046680616 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/702/1046680616@github.com>
Received on Monday, 21 February 2022 09:57:35 UTC