IETF Logo Mail Archive

Re: Migrating some high-entropy HTTP headers to Client Hints.

Mark Nottingham <mnot@mnot.net> Sun, 02 December 2018 03:52 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D41F12958B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 1 Dec 2018 19:52:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.999
X-Spam-Level:
X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=WjS+SQl5; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=h8o3Vj0Z
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3zjeRhw4IsAS for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 1 Dec 2018 19:52:13 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A67912896A for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 1 Dec 2018 19:52:12 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1gTIky-0007gK-Nh for ietf-http-wg-dist@listhub.w3.org; Sun, 02 Dec 2018 03:49:20 +0000
Resent-Date: Sun, 02 Dec 2018 03:49:20 +0000
Resent-Message-Id: <E1gTIky-0007gK-Nh@frink.w3.org>
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <mnot@mnot.net>) id 1gTIkw-0007fc-0D for ietf-http-wg@listhub.w3.org; Sun, 02 Dec 2018 03:49:18 +0000
Received: from out4-smtp.messagingengine.com ([66.111.4.28]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <mnot@mnot.net>) id 1gTIks-0007w0-Pa for ietf-http-wg@w3.org; Sun, 02 Dec 2018 03:49:17 +0000
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 0D99620F24; Sat, 1 Dec 2018 22:48:53 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Sat, 01 Dec 2018 22:48:54 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm1; bh=W Z1LU3INOm4qdRvi2UZ0nd4i8dCdlKwHxUoLGCy33Zs=; b=WjS+SQl5xEBZk+u0V 11dz1IHX5z3+wS5dc123ahp58Z0w8vX8OcacRbnjEbfOaA+Obid70gTaiuYkdZxd 3M2HBFEsqTFUWDL2B/CIMBgRx3O9zPEaHtmY5vwjnKRaUoIx5Se2z7bdm10/BEW6 hK2nURyi8biyNa1Uou7HqGVxth/XfXompG24jB5TwNwAbfR/xv6gi4Kod/wuBamT QXC++HR/xU+fqi8iSp7inkM4If986osQUYNoq4VnivWK7JBQPhbfuWf4GqtnDXAk s8Z4g4iB/remLqqGdAr2I0HpgIAgqyKuEmJ8LGGdXYh6AvZhQAm6K9LoSVL2rE3t 9f/ZA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=WZ1LU3INOm4qdRvi2UZ0nd4i8dCdlKwHxUoLGCy33 Zs=; b=h8o3Vj0ZuyHfHXNXVZPFgAksgBOXaL3KvURXs9Dk3Fxz+Ohbra3Ad9got saxUB5PF0pYbRlrgzavBIAoJc9UQHCGoAwByqvax4tAph7L5OXWM5/gHQ41rFD+C tjyl/iSnd5lngLNyTC3CPeJmpNKQ4zQt2vsxeONaNiyPJ22L0FlIJzZoBY1SDUml ci3CNykqMXOJtzqcrA3xAIFdQ8ZwkTGudliu2h8r+hW9g4C/agxILTfUon+QDhlT i7VbA1wcwudso49CNnsFy2u1tFWw97cTjjNPasdQibE1WkcJ8s24LP/Y0uw8WMrM jw2qI6lcMXgFhCMCZE+jmtEIH/lKA==
X-ME-Sender: <xms:JFYDXLu45NP6e--_GDrdTWQEK3dDcBRnHZtVYlHyQhaJQyuXn9pXyA>
X-ME-Proxy: <xmx:JFYDXMryaeujfD5hj3IG405DlafVEcSYqprul8EaBWvbzgDhAZNQVA> <xmx:JFYDXD69I2jp-q9NrxRTeBnH9q-JK706BvFSVsukp30x-F-2nx1K_w> <xmx:JFYDXKGaiOmdxyjcEduXNPP294a_wRSWw6cns9AbWqts8aca2Sa-iw> <xmx:JFYDXK5mPTlX1I0BkFC1EYLc19kYBiiocBUHn7CBaAH_8VrRTYkTWA> <xmx:JFYDXNiPGJI6ctMqX4vb9xsl9XLrKKoH0z9OSVucq_AX9eW4azHLOQ> <xmx:JVYDXO-SVdtjuovZJyPEn1VAhsxg8RQrEp62EODi_AdFfmBPM95iAA>
Received: from attitudadjuster.mnot.net (unknown [144.136.175.28]) by mail.messagingengine.com (Postfix) with ESMTPA id 5491E102E4; Sat, 1 Dec 2018 22:48:50 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CACj=BEhwdFCq+F3jUt49SsHFmcEj0A7uSfvU=H25-Sn2VWq1vg@mail.gmail.com>
Date: Sun, 02 Dec 2018 14:48:27 +1100
Cc: Mike West <mkwst@google.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EF037FEC-0B9C-4E9C-B20C-FBABC2FB1761@mnot.net>
References: <CAKXHy=eHiMtXi8vkDYtADHdU0tnUfd3p+Wfy7vSkLgT7cA1W0w@mail.gmail.com> <538F7C6E-EB14-4B49-B9B5-BED066E5838F@mnot.net> <CAKXHy=dhdrbB1i5d5=dXC-kz2kby3-GVwkwHESvP8uwqgrQAwg@mail.gmail.com> <CACj=BEhwdFCq+F3jUt49SsHFmcEj0A7uSfvU=H25-Sn2VWq1vg@mail.gmail.com>
To: Yoav Weiss <yoav@yoav.ws>, Ilya Grigorik <igrigorik@google.com>
X-Mailer: Apple Mail (2.3445.100.39)
X-W3C-Hub-Spam-Status: No, score=-6.4
X-W3C-Hub-Spam-Report: AWL=3.366, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1gTIks-0007w0-Pa 4918d939dd5f6af8f0d18f127ae7fd48
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Migrating some high-entropy HTTP headers to Client Hints.
Archived-At: <https://www.w3.org/mid/EF037FEC-0B9C-4E9C-B20C-FBABC2FB1761@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/36124
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Speaking personally --

I could see splitting out the various task-specific bits into separate documents (e.g., images).

However, it's not good to ship a framework like this without having it actually working for a real-world use case, so even if we split out all of the various CHs into separate docs, I think we'd need to hold the "main" document until at least one of those is ready.

Just a thought -- replacing User-Agent is probably suitable for that test case (in addition to the image-focused stuff, or perhaps instead of it). If we do decide to do that, it might be suitable to put it in the core document, since that seems like it's pretty central to what's going on here (the current claims in the document about not replacing UA notwithstanding).

Chair hat on -- what I did notice was that when the update for CH was read in Bangkok, *many* WG participants expressed surprise at the direction you were taking it in; most people seemed to think that this document was almost done in its current form, and there was concern that forming WG consensus on that was being disregarded. So whatever you do here, please make sure you get buy-in on the list, and make sure you coordinate with the chairs. Continuing this discussion and moving towards a common idea of what the doc(s) should include, when we should ship them, etc. sounds like a good start.

Cheers,


> On 30 Nov 2018, at 9:10 pm, Yoav Weiss <yoav@yoav.ws> wrote:
> 
> 
> 
> On Fri, Nov 30, 2018 at 9:47 AM Mike West <mkwst@google.com> wrote:
> On Fri, Nov 30, 2018 at 1:30 AM Mark Nottingham <mnot@mnot.net> wrote:
> I, for one, welcome our new Client Hint overlords.
> 
> Personally, I'd like to see these integrated into the current CH document, rather than as separate drafts. CH still needs some work, so it's not like we're going to get it out the door tomorrow.
> 
> On my list, I want to remove the specific image-related features and move them to their own specification, with a well defined browser processing model.
> Anything else that's needed to get CH infra "out the door tomorrow"? :)
>  
> 
> These hints seem pretty clearly separable from the infrastructure upon which they're built. I'd prefer to split them out into things-in-themselves that we can point developers towards independently, giving ourselves the opportunity to explain the rationale and background more coherently than I think we'll be able to if we bury these in a subsection of the larger document.
> 
> Similarly, I'd prefer clear distinctions between "CH as infrastructure" and "Features that use the CH infrastructure".
> We've had a lot of confusion and resistance to "CH the infrastructure" due to some of the features that rely on it, and clearly separating the two will enable implementations and user-agents to say "I support the CH infrastructure, and certain features relying on it, but not feature X".
> 
> From a procedural perspective, we wouldn't want every added feature to delay "CH as infrastructure" to advance.
>   
> 
> I'll defer to the group as to how y'all would like to handle these, but I'd prefer several short and focused docs as a reader.
> 
> -mike
> 
> However, it seems like Ilya wants to go in a different direction, based upon the notes we received for Bangkok.
> 
> Ilya, your thoughts?
> 
> 
> 
> > On 29 Nov 2018, at 9:22 pm, Mike West <mkwst@google.com> wrote:
> > 
> > Hey folks,
> > 
> > Section 9.7 of RFC7231 rightly notes that some of the content negotiation headers user agents deliver in HTTP requests create substantial fingerprinting surface. I think it would be beneficial if we took steps to reduce their prevalence on the wire, and Client Hints looks like a reasonable infrastructure on top of which to build.
> > 
> > `User-Agent` and `Accept-Language` seem like particularly tasty and low-hanging fruit, and I've sketched out two proposals as proofs of concept:
> > 
> > *   `User-Agent` could be represented as ~four distinct hints: `UA`, `Model`, `Platform`, and `Arch`: https://github.com/mikewest/ua-client-hints is a high-level explainer, and https://tools.ietf.org/html/draft-west-ua-client-hints a sketchy ID for the new headers.
> > 
> > *   `Accept-Language` could be represented as a `Lang` hint: https://github.com/mikewest/lang-client-hint is a high-level explainer, https://tools.ietf.org/html/draft-west-lang-client-hint an equally sketchy ID for the new header.
> > 
> > I'd appreciate y'all's feedback. Thanks!
> > 
> > -mike
> 
> --
> Mark Nottingham   https://www.mnot.net/
> 

--
Mark Nottingham   https://www.mnot.net/

v2.23.0 | Report a Bug | By Email