-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Markup based Client Hints delegation for third-party content #702
Comments
I have an issue with using If the goal is to bootstrap the use of Client-Hints to save one round trip for third party content, then there are solutions like caching the state of the need of client-hints, it won't solve the first hit issue, but will do later on, or else, use another pragma name, but this will suffer the same issue of "rotting configuration". |
Authors are not describing another server's state or behavior. Instead, they're granting permission. The privacy model here is:
CSP was floated as a way to do this, but, as you intuited, CSP experts disagreed. Thus we ended up doing it with The explainer lists two problems with this approach; I'll focus on the second. Authors are overwhelmingly more likely to use HTML rather than HTTP to configure Client Hints (and Client Hints aren't alone, in that regard). My hypothesis as to why: HTML authors spend much more of their time looking at, and writing to, their HTML, vs their HTTP configurations. Thus, I would expect markup-based configuration of Client Hint permissions to be much less likely to "rot", than the status quo (HTTP |
Ok, I was indeed mistaking Permission with a proper "cached" reply. |
Part of the design doc (that could be spelled out more explicitly in the spec) is a limitation on when the Accept-CH meta tag could be parsed. It should only be read once, and only on the original HTML sent from the first party server. It should not be parsed a second time and cannot be parsed after javascript executes. |
Getting this properly specified seems critical before shipping. Right now there is just an accept-ch state on the meta element but no indication of how that state is processed. Compare this to other meta element states with well-specified processing models, like referrer, theme-color, or color-scheme. |
This also adds support for speculative HTML parsing, whose fetches should respect the tag as well. w3ctag/design-reviews#702 (comment)
Thanks for working on our feedback, we will close this issue and look forward to see the outcome on WICG/client-hints-infrastructure#103 If there are problems working on it, please reopen this issue. |
After feedback from Cloudinary (WICG/client-hints-infrastructure#108) we're considering a few options for how to improve the HTML accept-ch delegation. Specifically, the current syntax does not conform to either the
Options 1 and 4 are preferred given the we are doing double duty (both requesting and delegating client hints). Mimicking the Permissions-Policy (option 2) or iframe allow (option 3) formats might obscure the distinct meaning of this code. I can start a new thread if needed, but this seemed a good place to start. https://bugs.chromium.org/p/chromium/issues/detail?id=1330554 |
The advantage of (4) from my perspective is that we're keeping a single markup for delegation and allow attributes (including the same policy names). The disadvantage is that developers would need to both opt-in the current page and delegate the hints, so would need to add 2 separate bits of markup. @eeeps - I'd love your opinions on the above tradeoff |
Are the |
Sorry that was a copypasta error; fixed. |
This is not actually like the PermissionsPolicy HTTP header, right? Since the header is a structured header and thus must use double quotes, not the single quotes you show here.
So, the difference between meta name and meta http-equiv is a real mess already, but I think this proposal makes it even worse. In general how things are supposed to work is:
This is not really well-followed, e.g. So with that in mind, from a HTML perspective the best idea might be something like (5), a |
The question then becomes: is the benefit of having something like (5) worth changing the syntax? From where I stand, (1) is functionally identical and the benefits of switching aren't clear given either way developers need to learn a semi-unique syntax. |
@arichiv - I may be wrong, but I think the syntax @domenic is proposing is similar to the "allow" attribute syntax, so that somewhat reduces the uniqueness.
Embarassing, but I did not know that. Thanks @domenic for pointing that out. |
Thanks for the feedback! On it for M105 WICG/client-hints-infrastructure#108 (comment) |
@ylafon / @torgo Old: New: We’re switching from Although this change is coming after a launch in M100, usage of the prior syntax is low (currently 0.000016%) and it seems worth taking the opportunity to reduce developer confusion and increase standards compliance. |
Braw mornin' TAG!
I'm requesting a TAG review of markup based Client Hints delegation for third-party content.
This allows permission policies (for only client hints) to be set on Accept-CH meta tags which include third party origins, which is useful for web developers who may not have easy access to modify HTTP headers (e.g., developers relying on embedding third-party code snippets). For example, to specify third party requests to
https://foo.bar
must includesec-ch-ua-platform-version
you could include:<meta name="accept-ch" content="sec-ch-ua-platform-version=( https://foo.bar)">
You may still omit the permission policy and rely on the default allowlist as follows:
<meta name="accept-ch" content="sec-ch-ua-platform-version">
Note that this is the equivalent of the following today:
<meta http-equiv="accept-ch" content="sec-ch-ua-platform-version">
The reason we’re moving from
http-equiv
toname
is that this new syntax isn’t supported in the HTTP headeraccept-ch
field. The syntax to delegate client hints to third parties will be unique to thename
d meta tag.DelegateTo
).Further details:
We'd prefer the TAG provide feedback as (please delete all but the desired option):
🐛 open issues in our GitHub repo for each point of feedback
The text was updated successfully, but these errors were encountered: