[webkit-dev] User Agent Client Hints
yoav at yoav.ws
Mon Nov 2 08:56:51 PST 2020
Thanks for re-reviewing, Maciej!
Adding Mike Taylor, who's likely to take a closer look at this.
On Mon, Nov 2, 2020 at 2:17 AM Maciej Stachowiak <mjs at apple.com> wrote:
> I just did a fresh review of that spec and explainer. Thanks for
> addressing many of the previous issues. This addresses many of the
> potential objections.
> Here’s the new issues I filed:
Thanks for filing those! We'll take a look and respond shortly.
> Most of these are minor/editorial, but I think 151 is potentially a
> deal-breaker. I may be misreading the spec, but as written
> getHighEntropyValues seems to give access to all of the high entropy client
> hints to third-party scripts in the first party context, and scripts
> running in third-party iframes, regardless of which ones the site has opted
> into via the relevant HTTP header.
That's indeed the case, as we didn't consider the Client Hints opt-in to be
something that impacts the availability of the JS API. (as it doesn't do
that for other hints)
That would be a huge problem, as it would grant a lot of active
> fingerprinting surface unnecessarily
We did discuss
a Feature Policy (now Permission Policy) to that effect. Would that help
with your concerns?
> (perhaps even expanding beyond what is currently possible with the UA
Can you expand on that last point?
> On Oct 27, 2020, at 12:35 AM, Yoav Weiss <yoav at yoav.ws> wrote:
> Yet-another ping! :)
> On Wed, Oct 7, 2020 at 8:23 AM Yoav Weiss <yoav at yoav.ws> wrote:
>> Friendly ping! :)
>> On Wed, Sep 30, 2020 at 9:29 AM Yoav Weiss <yoav at yoav.ws> wrote:
>>> Hi WebKit folks,
>>> Circling back on the previous discussion
>>> about User-Agent ClientHint. The feature was implemented in Chromium and is
>>> being rolled out in Chrome.
>>> There were some concerns mentioned in the previous thread, that we
>>> believe were since addressed. Would the feature be something that WebKit
>>> would consider shipping?
>>> Cheers :)
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the webkit-dev