Comments (10)
@yoavweiss reminded me that permissions policies aren't cached, so we actually don't expect to see enforcement on the first request sent to a site in any case. I'll add a note to the spec about that to clarify.
from client-hints-infrastructure.
I think you're right and the "if request is a subresource request" part doesn't match Chromium's implementation and seems spurious.
@arichiv - thoughts? Is this part WPT tested?
from client-hints-infrastructure.
@miketaylr I was wondering whether, if a website wanted to, they could prevent any device information from being sent to themselves. I was thinking long-term, if the web platform was able to freeze and deprecate the User-Agent header. But I don't see an immediate use case for the reasons you stated.
from client-hints-infrastructure.
Thanks for bringing this up! Addressing on that PR and also https://chromium-review.googlesource.com/c/chromium/src/+/3583274
from client-hints-infrastructure.
In #106 (comment) @englehardt wrote:
Permissions Policy doesn't remove low entropy hints from a top-level document request.
@englehardt can you describe in more detail what you're observing?
from client-hints-infrastructure.
Good catch! Fix here @englehardt: https://chromium-review.googlesource.com/c/chromium/src/+/3586379
from client-hints-infrastructure.
@arichiv Got it thanks! I wasn't sure if the spec was incorrect or the implementation :) This resolves it.
@miketaylr For clarity: example.com could respond with Permissions-Policy: ch-ua=(), ch-ua-mobile=(), ch-ua-platform=()
. This prevented those three low entropy hints from being added to requests for resources embedded within example.com (including first-party resources) but did not affect the client hints headers on the top-level request to example.com. With @arichiv's fix it looks like all requests (including the top-level) will not have the headers.
from client-hints-infrastructure.
For clarity: example.com could respond with
Permissions-Policy: ch-ua=(), ch-ua-mobile=(), ch-ua-platform=()
.
Thanks @englehardt. Is there any use case for this, or are you just doing exploratory testing? I'm undecided if this is an actual useful thing to do... since the UA string will reveal the same info as the low-entropy UA hints.
from client-hints-infrastructure.
Thanks - I can see that being theoretically interesting, to be able claim as a site that no device identifiers are stored, at least at the network level. But maybe a new permissions policy would be the way to go, to turn off all (most?) headers.
from client-hints-infrastructure.
But maybe a new permissions policy would be the way to go, to turn off all (most?) headers.
Right that's a good point. Even if one were able to turn off client hints and the UA was frozen, other headers will reveal coarser information that will vary between vendors and browser versions.
from client-hints-infrastructure.
Related Issues (20)
- Readme explainer still says `Accept-CH` but spec changed to `Delegate-CH` HOT 1
- Refresh GH Pages HOT 1
- Make it clear that UAs are not required to support every client hint ever HOT 5
- iFrame cross domain support HOT 3
- browser retries from the beginning of the multiple redirection with critical-ch HOT 4
- Define "brand" and "full version" for CH-UA HOT 3
- Usability of ACCEPT_CH frame HOT 1
- Define "high entropy" hint
- Integrate at the correct point in Fetch
- Access Client Hints can't be delegated to the document opting-in using `<meta>` tags HOT 10
- Are there any example to apply ACCEPT_CH frame on loadbalancer?
- Clarification on Accept-CH Lifetime HOT 10
- Consider a new class of low-entropy CHs that a subresource can request HOT 1
- RFC 8942 does not define Critical-CH
- Clarification on multiple Accept-CH headers, ACCEPT_CH and/or <meta http-equiv> tags HOT 7
- CORS preflight requests and UA-CH HOT 8
- Google Ads does not respect Critical-CH restart HOT 7
- Bug in spec, subresources don't get client hints as a result HOT 1
- Define Critical-CH Restart logic more rigorously. HOT 4
- Empty Accept-CH being used to clear Client Hint requests HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from client-hints-infrastructure.