Check Feature Policy before attaching Client Hints#811
Check Feature Policy before attaching Client Hints#811eeeps wants to merge 2 commits intowhatwg:masterfrom
Conversation
| policy-controlled feature</a>, returns <code>true</code>, the user agent should | ||
| <a for="header list">append</a> <var>hintName</var>/<var>value</var> to <var>request</var>'s | ||
| <a for=request>header list</a>. | ||
| [[!FEATURE-POLICY]] [[!CLIENT-HINTS]] |
There was a problem hiding this comment.
Some existing plumbing that we need to refactor:
- https://fetch.spec.whatwg.org/#client-hints-list
- Fetching steps 6+7: https://fetch.spec.whatwg.org/#fetching
I think the behavior we want here is..
- We need to define the Accept-CH opt-in processing in HTML spec
- For nav request, update Fetch to reference (1) instead of current "client hints tokens" ref to IETF spec
- For subresources, execute algorithm defined in FP, checking for delegation
There was a problem hiding this comment.
(1) and (2) are implemented (but not yet landed) in whatwg/html#3774 and #773
@eeeps & @tarunban - maybe we should merge all the different CH related PRs, to make it easier to discuss them in a holistic manner. Thoughts?
There was a problem hiding this comment.
Yeah, I'd much prefer we don't add feature policy until the architecture is more correctly described.
|
I agree that it's best to merge related PRs. However, I really do not have a pending PR. So, I am not sure if I can help much here. |
|
Closing, as I've moved this PR at over to yoavweiss#1 in order to consolidate CH/Fetch work. |
4 participants
This PR is part of an attempt to address w3c/webappsec-permissions-policy#129 – using Feature Policy to let authors opt-into sending specific Client Hints to specific origins.
The overall, basic idea is:
Preview | Diff