Roman Danyliw's No Objection on draft-ietf-httpbis-client-hints-14: (with COMMENT)

Roman Danyliw via Datatracker <noreply@ietf.org> Tue, 19 May 2020 18:55 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEFFF3A0D21 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 19 May 2020 11:55:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.649
X-Spam-Level:
X-Spam-Status: No, score=-2.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sHn-3fC4ZlWR for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 19 May 2020 11:55:42 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38F603A0B72 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 19 May 2020 11:55:42 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jb7Ly-0002AX-Mc for ietf-http-wg-dist@listhub.w3.org; Tue, 19 May 2020 18:52:38 +0000
Resent-Date: Tue, 19 May 2020 18:52:38 +0000
Resent-Message-Id: <E1jb7Ly-0002AX-Mc@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <noreply@ietf.org>) id 1jb7Lx-00029m-EG for ietf-http-wg@listhub.w3.org; Tue, 19 May 2020 18:52:37 +0000
Received: from mail.ietf.org ([4.31.198.44]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <noreply@ietf.org>) id 1jb7Lv-0004RG-Kp for ietf-http-wg@w3.org; Tue, 19 May 2020 18:52:37 +0000
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 082C63A0D3E; Tue, 19 May 2020 11:52:23 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-httpbis-client-hints@ietf.org, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, Mark Nottingham <mnot@mnot.net>, mnot@mnot.net
X-Test-IDTracker: no
X-IETF-IDTracker: 6.130.1
Auto-Submitted: auto-generated
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <158991434279.11601.16393112682974603277@ietfa.amsl.com>
Date: Tue, 19 May 2020 11:52:22 -0700
Received-SPF: pass client-ip=4.31.198.44; envelope-from=noreply@ietf.org; helo=mail.ietf.org
X-W3C-Hub-Spam-Status: No, score=-6.2
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1jb7Lv-0004RG-Kp 93d0913fd899979b1b15e495045ad4c2
X-Original-To: ietf-http-wg@w3.org
Subject: Roman Danyliw's No Objection on draft-ietf-httpbis-client-hints-14: (with COMMENT)
Archived-At: <https://www.w3.org/mid/158991434279.11601.16393112682974603277@ietfa.amsl.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37671
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Roman Danyliw has entered the following ballot position for
draft-ietf-httpbis-client-hints-14: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-httpbis-client-hints/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

** Section 4.1.  Per “Therefore, features relying on this document to define
Client Hint headers MUST NOT provide new information that is otherwise not
available to the application via other means, such as existing request headers,
HTML, CSS, or JavaScript”, would this text allow for a shift in permissiveness
if the references specs changed?  For example, if something was not permissible
in Javascript/HTML/CSS “vX” today, but it was in “vX+1”, would that mean that
additional data could be sent as hints?  I’m exploring the value of assigning
version numbers to HTML, CSS and Javascript to freeze the security assumptions.

** Section 4.1.  Per “User agents need to consider the value provided by a
particular feature vs these considerations, and MAY have different policies
regarding that tradeoff on a per-feature basis”, IMO more is needed to handle
these tradeoffs.  User agent implementations SHOULD expose this policy creation
process through a rich set of configuration/tuning options and with an API to
enable privacy-minded, third party software to assist the user in making
choices.

** Section 4.1. Per “Implementers SHOULD restrict delivery of some or all
Client Hints header fields to the opt-in origin only, unless the opt-in origin
has explicitly delegated permission to another origin to request Client Hints
header fields”, how does this delegation happen?