Contact emails aric...@chromium.org, jadekess...@chromium.org, miketa...@chromium.org
Design Doc https://docs.google.com/document/d/1U3P9yvaT1NXG_qRmY3Lp6Me7M5kTnd3QrBb1yFUVNNk/edit Specification https://wicg.github.io/client-hints-infrastructure/ Summary To support variable fonts <https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_Fonts/Variable_Fonts_Guide>, color vector fonts <https://www.chromestatus.com/feature/5638148514119680>, responsive images <https://github.com/w3c/webappsec-permissions-policy/issues/55#issuecomment-406627096>, and other third-party content which requires client information lost by the user agent reduction <https://groups.google.com/a/chromium.org/g/blink-dev/c/R0xKm1B7qoQ> implementation we need a way to extend client hints <https://wicg.github.io/ua-client-hints/>. For example: variable fonts <https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_Fonts/Variable_Fonts_Guide> allow significantly less font information to be transferred without loss of functionality, but only works on specific operating systems. Blink component Privacy>Fingerprinting <https://bugs.chromium.org/p/chromium/issues/list?q=component%3APrivacy%3EFingerprinting> Motivation It’s already possible to set a Permissions Policy <https://wicg.github.io/ua-client-hints/#delegation> in the HTTP response header, but for sites without the ability to modify HTTP headers a HTML solution would be ideal. This proposal prototypes a metadata meta tag which allows delegation of client hints to third-party origins. These tags could be included in code-snippets for embedded third-party content for ease of use. For example, to specify third party requests to `https://foo.bar` must include `sec-ch-width` you could include: <meta name="accept-ch" content="sec-ch-width=('self' 'https://foo.bar')"> You may still omit the permission policy and rely on the default allowlist as follows: <meta name="accept-ch" content="sec-ch-width"> Note that this is the equivalent of the following today: <meta http-equiv="accept-ch" content="sec-ch-width"> TAG review Not needed Risks This extension makes it easier for web developers to expose client hints to third-party content, but does not increase the surface area from what was already allowed via HTTP response headers <https://wicg.github.io/ua-client-hints/#delegation>. Blink currently implements first party client hints via a `http-equiv` meta tag. This extension will have to co-exist with (as a `name` meta tag) or replace/remove that iteration upon final implementation. Interoperability and Compatibility Gecko: No official position on implementation (Client Hints considered non-harmful <https://github.com/mozilla/standards-positions/issues/79>; User Agent Client Hints considered harmful <https://github.com/mozilla/standards-positions/issues/202>) WebKit: No official position on implementation Web developers: Positive interest from Cloudinary <https://bugs.chromium.org/p/chromium/issues/detail?id=1219359#c10> Debuggability Any improperly formatted client hint meta tags will be flagged in the Issues tab. Is this feature fully tested by web-platform-tests? No, but it will be as part of prototyping. Tracking bug https://crbug.com/1219359 Link to entry on the Chrome Platform Status https://www.chromestatus.com/features/5684289032159232 -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGpy5D%2BDQCwmfg-efW11Ms7DQgjy2tUOd3AELg1He6ovqbFWLQ%40mail.gmail.com.
