Integrate latest Client Hints updates #726
Comments
|
I started working on the "CH opt-in" cache part at #729, but following an IRC discussion with @annevk I'm now wondering what's the right way forward. The above PR adds that infrastructure to Fetch, but it was suggested that HTML might be a more appropriate place. Among other considerations, it depends if the response header handling is limited to navigation responses (which are also handled in HTML) or also cover subresource responses (handled only in Fetch AFAICT). Talking to @igrigorik, the use case for handling the Opinions? /cc @arturjanc @tarunban |
|
For context, we introduced requirement for double-keying before the discussion towards delegation, and that's where FP got introduced into the mix. Stepping back, I think FP-only solution could work and would simplify the processing: given that 1P explicitly delegates permission to send hints to a specified 3P via FP, the 3P opt-in on top of that is redundant. @arturjanc @npdoty would love to hear your thoughts. Assuming we all agree on this, shifting the logic into HTML spec makes a lot of sense. |
|
I don't think the third-party indication that it will make use of Client Hints is redundant even if the first party indicates that it trusts the third party to receive that data. The purpose of the opt-in request was for servers to indicate what data they will make use of (which improves transparency on practices like fingerprinting) and to only send the necessary data (data minimization). If a first party site just says, "all of my embedded parties are cool", that may not provide the user or researcher with much indication that the third party wants or needs the data. (Not sure we should call this "double-keying", as it's not like the case of cookies/storage that is different for different pairs of origins, but rather that data is transmitted only if both sides of the origin pair allow it. What do we call the practice of allow* attributes on iframes?) |
|
@npdoty Thanks for the feedback! I understand that this will adds some transparency to the CH-based fingerprinting, but couldn't we treat the first-party opt-in to the same purpose? After all, third party accepting CH does not mean that it uses them for fingerprinting.
Maybe we can limit that by banning "*" as a viable |
|
FWIW, I agree with Yoav that first-party delegation offers a strong signal, while allowing for easy and performance deployment.
I'm reluctant to go down this path. From a developer ergonomics perspective it would be completely non-intuitive for why this wouldn't or shouldn't work in this case, but work for other policies. |
|
One of the other purposes of double keying was so that the UA can remember the opt-ins for third party resources when loaded in the context of first-party. I believe that feature policies are not cached by UA. Is that correct? If so, removing double keying implies that the 1p has to provide FP for third-parties for every page load. I believe that should be fine, but just wanted to point that out. |
|
@tarunban that's correct, FP is not cached. For purposes of CH, I think this is fine and wouldn't break any use cases. If Origin-Policy ever becomes a thing, it could provide a way for a site to avoid specifying FP headers on each response, but I haven't see much recent activity on that front. |
|
I haven't read through this thread, but came here from https://chromium-review.googlesource.com/c/chromium/src/+/1066919 and just want to make sure one facet ends up being covered. There, So hopefully this issue will make it clear precisely which fetches get the headers :) |
|
@foolip - thanks for catching that. This should indeed be better defined. It's probably cleanest to apply |
|
Yep. Perhaps that'll involve adding an internal slot to store stuff in HTML, and consulting that state in Fetch, that kind of thing. |
|
The Feature Policy integration which requires explicit opt-in for sending hints on third-party requests, and the associated On an unrelated note, where can I find a discussion of |
|
|
|
I've updated the top comment on this issue with the open PRs that resolve it. AFAICT, all issues should be resolved, other than the Feature-Policy/3rd-party opt-in bits, which we don't aim to ship in the immediate future. We may be able to benefit from a couple more tests, making sure that ACH and ACHL don't work on subresource responses. Otherwise, I think we're good to go (pending reviews and landing of the PRs). |
Per discussions in fetch#726 [1], update the opt-in example to apply to same-origin resources only, with Accept-CH-Lifetime being processed on navigation requests. [1] whatwg/fetch#726 (comment)
|
Nice work, thank you Yoav! As a recap, we're waiting for the following to land:
Yep, this is non-blocking. |
|
Yes, I have #725 covered, but I need to land some Chromium changes and WPT tests to conform to the updated spec. |
Per discussions in fetch#726 [1], update the opt-in example to apply to same-origin resources only, with Accept-CH-Lifetime being processed on navigation requests. [1] whatwg/fetch#726 (comment)
I think the Web Performance Working Group is the place for discussing the Device Memory 1 Editor's Draft.
As far as I can tell, that data is not already commonly exposed. The editor's draft, not yet published as a Working Draft and implemented only in Blink, adds access to that data in both HTTP headers and JavaScript. |
|
The work related to CH integration with Fetch and HTML was done as part of https://wicg.github.io/client-hints-infrastructure/ Closing this as obsolete |
|
What's the upstream issue then to discuss the design and inform the Fetch/HTML community? |
|
Good point, opened #1072 |
and others
Consolidating the tasks into a meta bug, so we can track progress..
Update list of hints
RTT,ECT,Downlink, andDevice-Memoryheaders to the CORS-safelisted list, Client Hints list, and processing (step 6).Integrate
Accept-CH-Lifetime/ opt-in logicAccept-CH-Lifetimeand adds it to some CH-opt-in cacheAccept-CHand/or CH-opt-in cache into consideration.<meta http-equiv>opt-inIntegrate Feature-Policy + Client Hints hooks
@tarunban @yoavweiss @annevk anything missing?
The text was updated successfully, but these errors were encountered: