Re: [w3ctag/design-reviews] Markup based Client Hints delegation for third-party content (Issue #702) from Eric Portis on 2022-02-22 (public-webapps-github@w3.org from February 2022)

From: Eric Portis <notifications@github.com>
Date: Tue, 22 Feb 2022 09:24:34 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/702/1048033521@github.com>

@ylafon 

> I have an issue with using using `http-equiv` to describe what should be on another server

Authors are not describing another server's state or behavior. Instead, they're granting permission. The privacy model here is:

- First parties can already send third parties lots of fingerprint-able data about the end user, if they want to, *without* Client Hints.
- But cross-origins haven't been able to opt-into receiving that data on their own. Chrome's initial, [since-remedied](https://groups.google.com/a/chromium.org/g/blink-dev/c/8RBFue7RMXQ/) implementation of Client Hints allowed them to ([oops](https://github.com/httpwg/http-extensions/issues/372)).
- Going forward, UAs must not send Client Hints to third parties without permission, granted by the first party.

CSP was floated as a way to do this, but, as you intuited, [CSP experts disagreed](https://github.com/w3c/webappsec-permissions-policy/issues/55#issuecomment-531746048). Thus we ended up [doing it](https://www.w3.org/TR/permissions-policy-1/#algo-should-request-be-allowed-to-use-feature) with `Permissions-Policy` HTTP headers.

The explainer lists [two problems](https://docs.google.com/document/d/1U3P9yvaT1NXG_qRmY3Lp6Me7M5kTnd3QrBb1yFUVNNk/edit#heading=h.vfulx5tuufl7) with this approach; I'll focus on the second. Authors are [overwhelmingly more likely](https://github.com/w3c/webappsec-permissions-policy/issues/55#issuecomment-406627096) to use HTML rather than HTTP to configure Client Hints ([and Client Hints aren't alone, in that regard](https://almanac.httparchive.org/en/2021/resource-hints#http-header)). My hypothesis as to why: HTML authors spend much more of their time looking at, and writing to, their HTML, vs their HTTP configurations. Thus, I would expect markup-based configuration of Client Hint permissions to be much less likely to "rot", than the status quo (HTTP `Permissions-Policy`).



-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/702#issuecomment-1048033521
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/702/1048033521@github.com>

Received on Tuesday, 22 February 2022 17:24:46 UTC