Comments (12)
arichiv
commented on May 29, 2024
1
There aren’t plans to deprecate or remove the empty Accept-CH method.
I’m already working on the first part of the PR here: w3c/webappsec-clear-site-data#74
from client-hints-infrastructure.
arichiv
commented on May 29, 2024
1
Closing out as this is implemented in chrome M117 by default.
from client-hints-infrastructure.
yoavweiss
commented on May 29, 2024
from client-hints-infrastructure.
arichiv
commented on May 29, 2024
Accept-CH (like Critical-CH) is an sf-list, and those are only valid to split across multiple lines as long as each line has at least one token: https://www.rfc-editor.org/rfc/rfc8941.html#name-lists
The current behavior, ignoring all Accept-CH headers if you send a blank one and others that aren’t blank, is correct unless we define our own sort of list and merging logic.
This is noted in the spec currently: “There MAY be multiple Accept-CH headers per-response and sf-lists can be split across lines as long as each line contains at least one token.”
from client-hints-infrastructure.
arichiv
commented on May 29, 2024
I could see moving to option 3 or 5 potentially, @miketaylr for thoughts.
We technically shouldn’t ever be asking for an empty sf-list anyway, so it would be more compliant to have an independent header and ignore the empty case entirely (or slate it for deprecation).
from client-hints-infrastructure.
miketaylr
commented on May 29, 2024
Option 5 makes sense to me semantically, though the Clear-Site-Data spec is in a bit of a sad unmaintained state right now (someone on my team had volunteered to pick that up, but it never happened). I also wonder if other vendors would object since none of them support CH yet...
from client-hints-infrastructure.
arichiv
commented on May 29, 2024
I could take a look and consider taking it up. Will get back within a week or so.
from client-hints-infrastructure.
arichiv
commented on May 29, 2024
Have been thinking this over, and I realized that if the user deletes cookies from the UI we clear client hint data but that (as least as far as I can see) when cookies are deleted via this header that doesn't happen. It seems like we want to consider:
(1) adding a clientHints option to Clear-Site-Data
(2) updating the cookies option to also clear client hints
@yoavweiss for thoughts
from client-hints-infrastructure.
yoavweiss
commented on May 29, 2024
I think that clearing either cookies or cache using Clear-Site-Data should clear the CH cache as well (and tbh, I thought we did that already).
from client-hints-infrastructure.
miketaylr
commented on May 29, 2024
I think that clearing either cookies or cache using Clear-Site-Data should clear the CH cache as well
I like this idea.
from client-hints-infrastructure.
nicjansma
commented on May 29, 2024
Sounds reasonable to us as well!
Would Accept-CH: (empty) still continue to work (clearing all hints), either as an "official" way of clearing Hints, or as a not-official-but-it-just-has-that-side-effect of it being an empty list?
I would recommend (and can offer a PR, if desired) this repo have a dedicated section in the docs about Clear-Site-Data and the official (and/or not recommended) Accept-CH: way of clearing hints.
from client-hints-infrastructure.
arichiv
commented on May 29, 2024
https://groups.google.com/a/chromium.org/g/blink-dev/c/lJY86eTPQ0s the proposal is under review
from client-hints-infrastructure.
Related Issues (20)
- Make it clear that UAs are not required to support every client hint ever HOT 5
- iFrame cross domain support HOT 3
- browser retries from the beginning of the multiple redirection with critical-ch HOT 4
- Define "brand" and "full version" for CH-UA HOT 3
- Usability of ACCEPT_CH frame HOT 1
- Define "high entropy" hint
- Integrate at the correct point in Fetch
- Access Client Hints can't be delegated to the document opting-in using `<meta>` tags HOT 10
- Are there any example to apply ACCEPT_CH frame on loadbalancer?
- Clarification on Accept-CH Lifetime HOT 10
- Consider a new class of low-entropy CHs that a subresource can request HOT 1
- RFC 8942 does not define Critical-CH
- Clarification on multiple Accept-CH headers, ACCEPT_CH and/or <meta http-equiv> tags HOT 7
- CORS preflight requests and UA-CH HOT 8
- Google Ads does not respect Critical-CH restart HOT 7
- Bug in spec, subresources don't get client hints as a result HOT 1
- Define Critical-CH Restart logic more rigorously. HOT 4
- Primary brand name for Sec-CH-UA and Sec-CH-UA-Full-Version-List HOT 6
- Is Delegate-CH a pragma or not? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from client-hints-infrastructure.