Request-Off-The-Record Mode header
Shivan Kaul Sahib <shivankaulsahib@gmail.com> Thu, 08 June 2023 19:17 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D97EC151063 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 8 Jun 2023 12:17:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.745
X-Spam-Level:
X-Spam-Status: No, score=-7.745 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZU-ywfC7PWGt for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 8 Jun 2023 12:17:38 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D673C14CE54 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 8 Jun 2023 12:17:37 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1q7L6B-006gu3-Ad for ietf-http-wg-dist@listhub.w3.org; Thu, 08 Jun 2023 19:15:07 +0000
Resent-Date: Thu, 08 Jun 2023 19:15:07 +0000
Resent-Message-Id: <E1q7L6B-006gu3-Ad@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <shivankaul.1993@gmail.com>) id 1q7L69-006gsn-R9; Thu, 08 Jun 2023 19:15:05 +0000
Received: from mail-wr1-x42a.google.com ([2a00:1450:4864:20::42a]) by mimas.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <shivankaul.1993@gmail.com>) id 1q7L68-0081IW-EN; Thu, 08 Jun 2023 19:15:05 +0000
Received: by mail-wr1-x42a.google.com with SMTP id ffacd0b85a97d-30c2bd52f82so1042981f8f.3; Thu, 08 Jun 2023 12:15:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1686251699; x=1688843699; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=xI8qgSGfjuPZyp46kAKhTIk0W66+SgEIbIMNpKY8Boc=; b=rVLkk6GVH9qWO0Vg8bA5tIeA99SVUuLMaujnJZhZoupJb6JcrBC8olUYV9CrEp/yn3 3XQOSwp3CyQ/xmm4TPR+MCm0PAi0HzKEE5CW1fKWYmi40eaLjKxqcucT4FBApMvWDdfs qgFODLIJpFfLJB3O3sNLCybptOr72JXxZGaQsT5P//nUpjHQ9hNhg+m0Pn6m0rJixdth bOWFQClxyVWtSlsEMbgNFIYFcd4JBOf9R/fjNXaYHoQwNazgl6W4LmDWtRZMy03uuQaE xATBtfDly4wBdORN5O7Ht8mefiJ6LVBoG+OqrtWTMzpJXHtSsmd9xvtjX3tQJqFoClZE 3OJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686251699; x=1688843699; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=xI8qgSGfjuPZyp46kAKhTIk0W66+SgEIbIMNpKY8Boc=; b=BLsnQRLrioga6cRzn93PqDYM90h7hWqjuWdXk/UklNdn7CWXwY29x+e40PoQCyZKDQ lO3X8wZye3sQwMdCR4xpeXYItRgKEvGfFdFCV9L65FrwpMo3loBmOGEcuun4uJZpdSWU d/QiF6op+y/Xb8wQ25Hl7WceBZCd0eIlcihAYm9HX9Nol9DZN15Bz14M8OKl6AwAv9a9 WjFKsWXLMRvfw+LEr5eMHXIOQTysijuK3nJKatOSYfV9J7TJFB58iGkm39eFThGbxi7s fDW8tc/DyWCthf3tqf/3QlrfjXvkfdwx/2JVq+BVgO5zfz45zPIsBJztSwxEJW09GDBq l90w==
X-Gm-Message-State: AC+VfDyjYlc5TCoga6R2gdkCL1QYL6x36Y8Dy3DUDiB0g1ogoHQdcIOV +RpQ/PpCF9W4DLlQU53AJV26MPaOWvhhG8gNz5M5VnMrJ9w=
X-Google-Smtp-Source: ACHHUZ5oUQlP+ttSnj/b5W8JV3dftKWd3F1TAGuS9K3NyAZoR2SWj/QQn5YeCMX6pejSd468Mh9jGo1INV2WNXR9PcA=
X-Received: by 2002:adf:d083:0:b0:30e:46d4:64ee with SMTP id y3-20020adfd083000000b0030e46d464eemr8326936wrh.29.1686251699232; Thu, 08 Jun 2023 12:14:59 -0700 (PDT)
MIME-Version: 1.0
From: Shivan Kaul Sahib <shivankaulsahib@gmail.com>
Date: Thu, 08 Jun 2023 12:14:23 -0700
Message-ID: <CAG3f7Mi=QVLNdxL5LWxzf-2uAT8KO9B-NWFoaM_HHOvpiPzbRA@mail.gmail.com>
To: public-webappsec@w3.org, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="00000000000088e32d05fda311c9"
Received-SPF: pass client-ip=2a00:1450:4864:20::42a; envelope-from=shivankaul.1993@gmail.com; helo=mail-wr1-x42a.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=shivankaul.1993@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-5.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1q7L68-0081IW-EN 46123b7a9a87ac37b8ed56bee9b7b8cc
X-Original-To: ietf-http-wg@w3.org
Subject: Request-Off-The-Record Mode header
Archived-At: <https://www.w3.org/mid/CAG3f7Mi=QVLNdxL5LWxzf-2uAT8KO9B-NWFoaM_HHOvpiPzbRA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51141
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi folks, this is a head's up and early request for feedback: Brave is shipping support for an HTTP response header sent by a website that wants the client to treat the website as "off-the-record" i.e. not store anything in storage, not record the site visit in history etc. Kind of like incognito/private browsing mode but site-initiated and only for a specific website. The header is simple: it would look like `Request-OTR: 1`. Some details here: https://brave.com/privacy-updates/26-request-off-the-record/#request-otr-header. Currently we bootstrap for websites that have expressed interest in this (mainly websites that have help resources for domestic violence victims, which was the driving use-case) by preloading a list of websites into the browser, but it would be nice to standardize the header. We're considering doing the work in the HTTP WG at IETF: it's envisioned to be a simple header. I see that this idea was previously discussed in W3C WebAppSec: https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/0016.html, and there was a draft Mozilla spec: https://wiki.mozilla.org/Security/Automatic_Private_Browsing_Upgrades, though as a CSP directive. Happy to hear what people think.
- Request-Off-The-Record Mode header Shivan Kaul Sahib
- RE: Request-Off-The-Record Mode header Eric Lawrence
- Re: Request-Off-The-Record Mode header David Schinazi
- Re: Request-Off-The-Record Mode header Martin Thomson
- Re: Request-Off-The-Record Mode header Watson Ladd
- Re: Request-Off-The-Record Mode header Anne van Kesteren
- Re: Request-Off-The-Record Mode header Ángel
- Re: Request-Off-The-Record Mode header Shivan Kaul Sahib
- Re: Request-Off-The-Record Mode header Shivan Kaul Sahib
- Re: Request-Off-The-Record Mode header Greg Wilkins
- Re: Request-Off-The-Record Mode header Shivan Kaul Sahib
- Re: Request-Off-The-Record Mode header Shivan Kaul Sahib
- Re: Request-Off-The-Record Mode header Mike West
- Re: Request-Off-The-Record Mode header Dennis Jackson
- Re: Request-Off-The-Record Mode header Caleb Queern
- Re: Request-Off-The-Record Mode header Mike West
- Re: Request-Off-The-Record Mode header Caleb Queern
- Re: Request-Off-The-Record Mode header Shivan Kaul Sahib