-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Proposal: Client Hints delegation #129
Comments
I, perhaps predictably, like this proposal -- it seems like a good compromise between allowing authors to use client hints (and delegate access to trusted third parties) and protecting users' privacy (i.e. the potential to overshare data available in hints, which is addressed this integration with Feature Policy). |
So, with this model --
Does that make sense? Questions:
(even though those frames frame pages from the same origin) Is this per-frame decision possible with CH, or is the hint/no-hint decision always scoped per-origin? |
Re, 1-4: yes, I think that's exactly right.
I think so and it's a reasonable thing to do. For example, I may rely on a CDN to perform image or other type of optimization that can benefit from one or more hints, but I may not need hints on my origin directly. In this case I would simply specify an FP policy on my (1P) response enabling the 3P to request access to hints.
As defined by the CH spec, scoped per-origin. Do all features map to allow attributes? To start, I'm OK if we said allow attribute is not supported for CH, but open to other options too. |
Per discussion in #372, add (optional) suggestion to enforce explicit delegation for 3P origins. For example, a UA may use Feature Policy to implement this — see w3c/webappsec-permissions-policy#129.
@clelland as a sanity check, does this proposal sound reasonable to you from a high-level perspective? There's definitely implementation details that we need to hash out here, but first I want to make sure that we have agreement that this general direction is sound and FP can support it. |
friendly bump :) |
I like this proposal. So if no 1st party FP header does that mean 3rd parties cannot use CH.? If so like that a lot. |
Correct, for any hint that has default policy of
That's a separate and unrelated request+thread to what we're discussing here — let's split this out into a separate discussion, if you want to pursue it. |
Yes, I think that this is reasonable -- I was thinking there were some interactions with the Accept-CH-Lifetime mechanism that might run counter to developer expectations with FP, but I don't think there's anything insurmountable there. FP doesn't currently have any mechanism for allowing some features only in HTTP headers, and not in iframe attributes, but I'm sure there's room to define that if we come to the conclusion that it's required (I'm not convinced yet that it is) |
Trying to think through the examples and looking at the ABNF, it seems that if an origin would want to delegate multiple CH headers to multiple other origins, we'd end up with a lot of repetition. Is the above right? Or am I missing some less verbose way to do the same? If there isn't one already, would be great to find a way to minimize the verbosity. (seems like something that can be applicable to other policies as well, not CH specific) |
CSP allows much richer wildcards than feature policy currently does -- If FP adopted some of the same parsing logic, then you could cut it down to
or (by more carefully choosing hostnames just for this purpose)
But that's not any better in the general case. I guess we could use some way to define named groups of origins, and then reference them in declarations. I wonder if something like that would fit with Origin Policy? |
Alternately, if we allowed multiple features in a single declaration, then you could specify all three features and all three origins in the same declaration, like
That might be minimal, although it is definitely moving away from CSP in terms of parsing. |
Or maybe even I understand we're reducing verbosity at the expense of more generic parsing, which also fits the CSP model, so not saying that's the obvious right choice, but might be worth while to put some thought into that. Maybe CSP can benefit from something similar as well. |
That's an interesting idea -- I know that CSP explicitly does not support wildcards in that position (and maybe for good reason; @mikewest would probably know) I do kind of like the syntax of
as a shorthand for
and I suspect you're right that CSP could probably adopt that as well. I should probably start another thread for potential parser changes. |
CSP deals with this by having a |
I would like to propose changing the default restriction for DPR, Viewport-Width and Width in the default policy. While DPR and Viewport-Width are certainly finger-printable on desktop, on mobile devices these values are generally a constant for a given mobile device. The DPR for a Pixel2 is the same for all Pixel2 hardware. Further, these values are already derivable with a User-Agent Likewise, the 'Width' client hint is only present where the developer has added other annotations ( To summarize, I would propose the following change for the default policy. On Desktop: |
@colinbendell I'd strongly prefer that we avoid branching policies based on form factor: we should enforce same privacy requirements for all devices, and I'm sure that we'll find edge cases and exceptions for every hint — e.g. some "mobile" devices allow split screen browsing, which affects Viewport-Width. |
That would mean that in my above example, it'll come down to: I can live with that if it gets this shipped sooner. (by relying on existing constructs) |
If there's a @igrigorik – why did you propose
(related thought) If we go the route of allowing multiple feature-identifiers per declaration, e.g.,
Would it be possible to have those declarations enable the sending of those hints to those origins as well? e.g. this would be implied by the former:
This would be a different way to reduce repetition... by giving those enumerated values more of a job to do. |
This was a (Chrome) policy decision, to encourage site owners to optimize for users that enable "use less data" option in their browser.
That is, effectively, the behavior we converged on. The 1P origin must use Accept-CH to advertise opt-in, and if it also provides FP specifying which 3P origins are allowed, then same hints are sent to said origins. |
I’m trying to work through how this should be spec’d, and I'm running up against a disconnect. Integration with HTML enables and disables features within a document, based on the document’s own origin. What we want to do here, is enable and disable features on each request, based on that request’s URL’s origin. Will spec'ing this delegation require a new Feature Policy integration? With Fetch, maybe? Alternatively, perhaps Content Security Policy is a better tool to do this delegation job?
|
@eeeps hmm, good points. One gotcha I see here is that CSP is not a perfect match either..
In this case, we're not controlling sources from which resources can be loaded, but aiming to control what outgoing headers requests are annotated with. @mikewest any thoughts on if/how CSP could be a fit here? |
I don't think adding new things to CSP is a good idea. It's already doing more than it ought to do because of past-me's poor design decisions. I do think you'll need to integrate with Fetch one way or the other in order to figure out when to attach headers. Since you're doing that in the context of a given request, perhaps you can examine properties of the request's client in order to determine which hints ought to be applied? That is: Feature Policy applies to the document, the document makes a request, Fetch calls an algorithm that looks at the document's policy to figure out what to do. That's what CSP does (in step 4 of https://fetch.spec.whatwg.org/#main-fetch which calls into https://w3c.github.io/webappsec-csp/#should-block-request). |
@mikewest we do have existing plumbing in Fetch (see step 7 in Fetching), where we differentiate between navigation and resource requests. The discussion here is about defining a new mechanism where 1P is able to explicitly delegate delivery of hints (which and to which origin) to 3P origins. Previously, hints were delivered to all origins once 1P opted-in, but we're changing this behavior to: opt-in is for 1P origin only, and 1P must explicitly delegate to 3P's it wants the UA to deliver CH hints to. Conceptually, FP is one way to tackle this use case: 1P uses FP to list origins and hints to which it delegates CH permission, similar to permission delegation. However, as @eeeps pointed out, there is a small mismatch here: other FP policies are document wide, whereas CH policy is all about origins — e.g. a 3P subresource loaded by top-level document should not get the hints unless 1P explicitly allowed it. Hence the thought experiment about CSP.. On other hand, CSP is not a perfect match either, since it controls sources from which resources can be loaded, not what data is sent to said origins. Conflating the two could get pretty confusing, and my hunch is that it would be even more so than FP.. WDYT? |
The above PRs represent a first stab at this. As this is my first time contributing to any of these specs (or using Bikeshed! at all!), I'm sure there are numerous issues. If and when those are able to be worked out, I see a few remaining issues to be tackled:
Lastly – I was basing these PRs on the language and functionality that’s already in the Fetch spec. So I didn't think very deeply about how these changes will affect the Accept-CH-Lifetime header/cache. @yoavweiss do you forsee any particular problems, in that regard? |
@eeeps first off, big thank you for your help with this! Left a few comments on the PRs.
|
It's been a while since activity on this issue. I would appreciate if somebody can let us know what is the final format for defining permissions policy for Client Hints going to look like, if there's some consensus on it. Thanks a lot |
I believe this was closed by #220 and Client Hints infrastructure |
Thanks a lot @yoavweiss |
Client Hints defines a mechanism for UA+server to negotiate a set of HTTP request header fields that can be used for proactive content negotiation. For example, the server can request that the client send a
DPR
request header field such that it can pick the right image / CSS / HTML markup.The site author must explicitly opt-in and specify which hints they want to receive via the Accept-CH header — e.g.
Accept-CH: DPR
response header indicates that the UA should send theDPR
hint. Optionally, the site can also request that the UA remember this preference for a specified period of time, via Accept-CH-Lifetime header.One existing limitation that came up in privacy review is that CH does not expose 'delegation controls' for 1P vs 3P resources; CH does not provide a means for 1P to specify which 3P's should be allowed to request various hints. I believe (and propose :)) that Feature Policy is the right tool for the job to address this: we can define each hint as a policy-controlled feature.
For example, enumerating existing hints today...
ch-dpr
with default policy ofself
.ch-width
with default policy ofself
.ch-viewport-width
with default policy ofself
.ch-save-data
with default policy of*
.In effect, the 1P has to first explicitly opt-in to receive any of the above via
Accept-CH
mechanism described above, and by default this opt-in would apply to 1P resources only. If the origin wishes to delegate permission to 3P's to request some or all of the same hints, it would then whitelist them via a custom Feature-Policy with above directives.WDYT?
/cc @clelland @arturjanc @tarunban @yoavweiss
The text was updated successfully, but these errors were encountered: