Roman Danyliw's No Objection on draft-ietf-httpbis-client-hints-14: (with COMMENT)

Roman Danyliw via Datatracker <> Tue, 19 May 2020 18:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CEFFF3A0D21 for <>; Tue, 19 May 2020 11:55:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.649
X-Spam-Status: No, score=-2.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sHn-3fC4ZlWR for <>; Tue, 19 May 2020 11:55:42 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 38F603A0B72 for <>; Tue, 19 May 2020 11:55:42 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1jb7Ly-0002AX-Mc for; Tue, 19 May 2020 18:52:38 +0000
Resent-Date: Tue, 19 May 2020 18:52:38 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jb7Lx-00029m-EG for; Tue, 19 May 2020 18:52:37 +0000
Received: from ([]) by with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jb7Lv-0004RG-Kp for; Tue, 19 May 2020 18:52:37 +0000
Received: from (localhost [IPv6:::1]) by (Postfix) with ESMTP id 082C63A0D3E; Tue, 19 May 2020 11:52:23 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <>
To: "The IESG" <>
Cc:,,, Mark Nottingham <>,
X-Test-IDTracker: no
X-IETF-IDTracker: 6.130.1
Auto-Submitted: auto-generated
Reply-To: Roman Danyliw <>
Message-ID: <>
Date: Tue, 19 May 2020 11:52:22 -0700
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-6.2
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1jb7Lv-0004RG-Kp 93d0913fd899979b1b15e495045ad4c2
Subject: Roman Danyliw's No Objection on draft-ietf-httpbis-client-hints-14: (with COMMENT)
Archived-At: <>
X-Mailing-List: <> archive/latest/37671
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

Roman Danyliw has entered the following ballot position for
draft-ietf-httpbis-client-hints-14: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:


** Section 4.1.  Per “Therefore, features relying on this document to define
Client Hint headers MUST NOT provide new information that is otherwise not
available to the application via other means, such as existing request headers,
HTML, CSS, or JavaScript”, would this text allow for a shift in permissiveness
if the references specs changed?  For example, if something was not permissible
in Javascript/HTML/CSS “vX” today, but it was in “vX+1”, would that mean that
additional data could be sent as hints?  I’m exploring the value of assigning
version numbers to HTML, CSS and Javascript to freeze the security assumptions.

** Section 4.1.  Per “User agents need to consider the value provided by a
particular feature vs these considerations, and MAY have different policies
regarding that tradeoff on a per-feature basis”, IMO more is needed to handle
these tradeoffs.  User agent implementations SHOULD expose this policy creation
process through a rich set of configuration/tuning options and with an API to
enable privacy-minded, third party software to assist the user in making

** Section 4.1. Per “Implementers SHOULD restrict delivery of some or all
Client Hints header fields to the opt-in origin only, unless the opt-in origin
has explicitly delegated permission to another origin to request Client Hints
header fields”, how does this delegation happen?