Contact emails [email protected], [email protected], [email protected]
Design Doc https://docs.google.com/document/d/1igtMPtVTiX24bVaUo6tBgx3B16-HmUVPG7iDP5HkzD0/edit Specification https://wicg.github.io/client-hints-infrastructure/ Summary One residue of the rapid Client Hints Infrastructure <https://wicg.github.io/client-hints-infrastructure/> iteration is the concept of a `legacy` client hint. It’s a set of 4 hints (`dpr`, `width`, `viewport-width`, and `device-memory`) which have a default allowlist of `self` (meaning that they are not sent to third-party subresources unless delegated via Permissions Policy) but behave as though they have a default allowlist of `*` (meaning they are sent to third-party subresources as long as the first-party page requests them) on Android. This `legacy` client concept on Android will be removed and a permissions policy will be required to delegate the 4 affected hints. As of M100, Markup based Client Hint Delegation <https://groups.google.com/a/chromium.org/g/blink-dev/c/JQ68cvYuiQU/m/bFjAWmy3AAAJ> is now available to allow delegation via HTML instead of HTTP headers. Blink component Blink>Network>ClientHints <https://bugs.chromium.org/p/chromium/issues/list?q=component%3ABlink%3ENetwork%3EClientHints> Motivation We want to bring these 4 hints in line with the spec; fixing this will increase privacy on Android by requiring explicit delegation of these hints. TAG review N/A (this change brings Android behavior in line with the spec and better preserves privacy) Compatibility Websites visited by android devices that request the legacy device-memory, dpr, width, and viewport-width would no longer have these hints delegated by default to third-party subresources. This would match the current behavior on desktop. Third-party subresources which need these hints would need to get the first-party that loads them to adopt HTTP <https://w3c.github.io/webappsec-permissions-policy/#serialization> or HTML <https://docs.google.com/document/d/1U3P9yvaT1NXG_qRmY3Lp6Me7M5kTnd3QrBb1yFUVNNk/edit> delegation of client hints. The design doc <https://docs.google.com/document/d/1igtMPtVTiX24bVaUo6tBgx3B16-HmUVPG7iDP5HkzD0/edit> has usage/top-site information, and outreach is underway to ensure third-parties expecting this information are aware of the change. The sites which require default third-party delegation of these hints are likely much lower than the sites which incidentally do so by default. As we encourage Client Hint adoption, we want to ensure dependency doesn’t form on legacy, non-compliant behavior. Interoperability Gecko: Client Hints not yet implemented (considered non-harmful <https://mozilla.github.io/standards-positions/#http-client-hints>) WebKit: Client Hints not yet implemented Web developers: No feedback yet Debuggability N/A Is this feature fully tested by web-platform-tests? New WPT will be added to ensure these hints are not delegated by default. Tracking bug https://crbug.com/1227043 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5694492182052864 -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGpy5DJC2Cz3PknrsW2jyFs9ppM%3D%3Dv4ADWCTtYDReYST8iJDxg%40mail.gmail.com.
