[webkit-dev] User Agent Client Hints
mjs at apple.com
Sun Nov 1 17:17:51 PST 2020
I just did a fresh review of that spec and explainer. Thanks for addressing many of the previous issues. This addresses many of the potential objections.
Here’s the new issues I filed:
Most of these are minor/editorial, but I think 151 is potentially a deal-breaker. I may be misreading the spec, but as written getHighEntropyValues seems to give access to all of the high entropy client hints to third-party scripts in the first party context, and scripts running in third-party iframes, regardless of which ones the site has opted into via the relevant HTTP header. That would be a huge problem, as it would grant a lot of active fingerprinting surface unnecessarily (perhaps even expanding beyond what is currently possible with the UA string).
> On Oct 27, 2020, at 12:35 AM, Yoav Weiss <yoav at yoav.ws> wrote:
> Yet-another ping! :)
> On Wed, Oct 7, 2020 at 8:23 AM Yoav Weiss <yoav at yoav.ws <mailto:yoav at yoav.ws>> wrote:
> Friendly ping! :)
> On Wed, Sep 30, 2020 at 9:29 AM Yoav Weiss <yoav at yoav.ws <mailto:yoav at yoav.ws>> wrote:
> Hi WebKit folks,
> Circling back on the previous discussion <https://lists.webkit.org/pipermail/webkit-dev/2020-May/031195.html> about User-Agent ClientHint. The feature was implemented in Chromium and is being rolled out in Chrome.
> There were some concerns mentioned in the previous thread, that we believe were since addressed. Would the feature be something that WebKit would consider shipping?
> Cheers :)
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the webkit-dev