Define policy-controlled features #696
Conversation
| @@ -255,6 +255,27 @@ Implementers ought to consider both user and server controlled mechanisms and po | |||
|
|
|||
| Implementers SHOULD support Client Hints opt-in mechanisms and MUST clear persisted opt-in preferences when site data, browsing history, browsing cache, or similar, are cleared. | |||
|
|
|||
| ## Opt-in via Feature Policy | |||
There was a problem hiding this comment.
@eeeps this entire section should live in Feature Policy spec, not here. Could you move it over to your FP PR?
There was a problem hiding this comment.
I'm not sure it belongs in the Feature Policy spec. The Feature Policy spec only defines a generic set of mechanisms, and is not in the business of defining (or even, to date, enumerating) specific policy-controlled features like this.
Can you explain why you don't think these feature policy definitions belong in the Client Hints spec?
Perhaps there's somewhere in the HTML or Fetch specs that'd be a better home?
cc: @yoavweiss
There was a problem hiding this comment.
I think you're both right! :)
Cross-origin fetches is a web concept, so it has no place here. At the same time, FP does indeed just define the mechanisms, not the features.
HTML and Fetch are probably the right places for this, where the features are defined in HTML and initialize an object keeping track of the Document's CH delegation to certain third-parties, which is later used in Fetch to actually make a decision on sending the hints themselves using it.
There was a problem hiding this comment.
@yoavweiss do you think this policy-controlled feature definition belongs in (or is blocked by?) whatwg/html#3774, or should I create a new PR on the HTML spec?
There was a problem hiding this comment.
If we're going to make the CH spec generic (which still needs to be properly explained/discussed, btw :), I'd think that the CH spec should have a mention of FP and some general guidance, whereas the specific feature definitions / guidance should go wherever those particular hints are defined. YMMV, of course.
There was a problem hiding this comment.
Fair enough. We could mention FP as an example of how delegation can happen for a browser use case. For other environments.. they may or may not use a similar pattern.
@mnot does that sound reasonable to you?
There was a problem hiding this comment.
If feature policy were a done deal, that might be OK, but it's still very unstable.
There was a problem hiding this comment.
OK, that sounds like an argument for more generic language.
mnot
changed the title
|
@yoavweiss is adding these definitions to the HTML spec here: whatwg/html@335f566 @mnot @igrigorik Maybe spin up a separate issue to discuss the level which delegation mechanisms should be explained/exampled in the CH spec? |
This PR is part of an attempt to address w3c/webappsec-permissions-policy#129 – using Feature Policy to let authors opt-into sending specific Client Hints to specific origins.
The overall, basic idea is: