Client hints difference between navigation and subresources

[annevk]

@igrigorik is it intentional that for subresources we always append client hints headers and for navigation only if they're not already present?

That doesn't actually make a whole lot of sense to me, since navigation is the one where it's currently impossible for those headers to already be present...

[igrigorik]

Most recent IETF draft updates the opt-in flow. The short of it:

• Servers must advertise Accept-CH with list of hints they want to receive.
  • If this opt-in is present on response to navigation request, then we should emit the requested request header fields for same-origin subresources.
• Optionally, the server can also provide Accept-CH-Lifetime to persist above preference. This means that future navigation+subresource requests should emit requested header fields.

Sending requested header fields to 3P origins is subject to Feature Policy, the plumbing for which is WIP — see w3c/webappsec-permissions-policy#129.

[annevk]

@igrigorik that opt-in flow requires a bunch of plumbing in HTML and Fetch too. Who will do that work?

[igrigorik]

It's been my list for a while, but as you can tell.. haven't found the cycles to tackle it so far. If there is anyone else interested in picking this up, I'd be happy to help review!

[yoavweiss]

Taking a cautious peek at that, it seems like that work would comprise of:

• Adding a step after step 10 in Main Fetch, which reads Accept-CH-Lifetime and adds it to some CH-opt-in cache
• Add definition of said cache
• Change steps 6-7 in Fetching to take Accept-CH and/or CH-opt-in cache into consideration.
• Limit above steps to secure origins
• Limit above steps to same-origin - unless the origin is on some list of allowed origins
• Hook up FeaturePolicy and Feature Proposal: Client Hints delegation w3c/webappsec-permissions-policy#129 to said list of allowed origins.
• Add all the new hints to Client Hints list and to the cors-safelisted request headers.

@annevk - does that sound about right?

[annevk]

Yeah (also tests).

[igrigorik]

@yoavweiss that sounds about right!

[igrigorik]

@annevk let's close this and track progress in #726?

[annevk]

Sure.