IETF Logo Mail Archive

Re: Request-Off-The-Record Mode header

Martin Thomson <mt@lowentropy.net> Thu, 08 June 2023 23:28 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ED4EC151089 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 8 Jun 2023 16:28:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.745
X-Spam-Level:
X-Spam-Status: No, score=-7.745 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="iF8v+CIZ"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="p5Yrsb0T"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xR6a1yOhsmTP for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 8 Jun 2023 16:28:17 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F1C3C14CEFF for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 8 Jun 2023 16:28:16 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1q7P2x-007Izz-N4 for ietf-http-wg-dist@listhub.w3.org; Thu, 08 Jun 2023 23:28:03 +0000
Resent-Date: Thu, 08 Jun 2023 23:28:03 +0000
Resent-Message-Id: <E1q7P2x-007Izz-N4@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <mt@lowentropy.net>) id 1q7P2v-007Iyy-OS for ietf-http-wg@listhub.w3.org; Thu, 08 Jun 2023 23:28:01 +0000
Received: from wnew1-smtp.messagingengine.com ([64.147.123.26]) by mimas.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <mt@lowentropy.net>) id 1q7P2t-0088QN-Na for ietf-http-wg@w3.org; Thu, 08 Jun 2023 23:28:01 +0000
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailnew.west.internal (Postfix) with ESMTP id 40E812B06807 for <ietf-http-wg@w3.org>; Thu, 8 Jun 2023 19:27:54 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute6.internal (MEProxy); Thu, 08 Jun 2023 19:27:54 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to; s=fm2; t= 1686266873; x=1686274073; bh=SQb8ekiXsQnl0wwfQTvRa24s4xQMpJRXovA bfii4oxY=; b=iF8v+CIZLBBBlYWgK0z2EQoOcA5HPlmhBA6wZFKTE4Bi546ZH30 JD2udTcpzwvArg1SKqCybBEbxGFWRooHOjNPK+Zud1nPlgzWdYv64oiOr74BecW/ e3+hfh8qdhwjKW/hjvsY91vtrxEBSoqi7lvFZgZwKT+9toheduDk/kowsJrSZNdy pKIBLA0es3EPenr7V4h1Duq5ZbTXO1tQCAhKhbi3ijfVv3VN6bEFUBtEzk7AQlDU K8mzrQOCRztdFr5XDrK9XBtb4V761sdXSxiuhmmTQXYXwN4JIt3qkl7Est56oHa4 cs0kFbVkNwG1zlOmPF5dvNPYQ27AGT8ehqw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1686266873; x= 1686274073; bh=SQb8ekiXsQnl0wwfQTvRa24s4xQMpJRXovAbfii4oxY=; b=p 5Yrsb0Tj7FHeYfOYmAbt0P4DwgOw1l9FqHfsch7ibDWk9glvYNZ3/Nfdblwgklri +jvCxh4WICTNuMRPfNnwuZSZcDW/RQva3FPAfXwRk2+YiobFUuaV9x6M7xiYy4ZF WLXp2YKQUfKS7J9uX/WaWx5o4fzoXm+3KTokSPFzfJUw3Iy9qyPW/6COR9sSRrPe IpkHEIVDabHtX2EqeP06dyr2feiWHYHmvbjX2d11swGr7u6ro7AN19PcVzxSQn7h sQlHp7Htt+fecqQOxCYo5Fr/mMzdMwXbXa6/N/N2OZuLMvufiAXMYLQhp7aLp3Hk E3Yvp2yvQDoZCJbDtBw3A==
X-ME-Sender: <xms:-WOCZD2JCum_Bf2jGJEm-uEKcmHPJ0QJwvmS0gj3fT5E4hYLMQkh6w> <xme:-WOCZCFZ-2JoZRov8ZUh_lHdotON26Jwej5tulM6IwihADgZptC1rwK2_0gZi6Xky YnejKa7ARNrCugteQs>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrgedtjedgvdduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucgovfgvgihtqfhnlhihqddqufhprghmsghothdqkg egvdehqddtheculdeftddtmdenucfjughrpefofgggkfgjfhffhffvufgtgfesthhqredt reerjeenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohifvg hnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnhepjeeufedvgefhvedtjeekvddv gffhvdejveejkeekhedtheeftdelhedvveejgeegnecuffhomhgrihhnpeiffedrohhrgh dprghkrgdrmhhspdgsrhgrvhgvrdgtohhmpdhmohiiihhllhgrrdhorhhgnecuvehluhhs thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehlohifvghnth hrohhphidrnhgvth
X-ME-Proxy: <xmx:-WOCZD7x5LYc-KSLvt9HqHGCmEltxMhm62_YRZg2N7C2l8njMdEhBg> <xmx:-WOCZI3XQ_4_2hyR-taYRg3BmAkh3JRKB8cq9Kmn0uQPEVu7l91haw> <xmx:-WOCZGE5y26YBvYATd2c0innhimZoMIs1LfUOO_UdY2qdWeqjdKfOA> <xmx:-WOCZKT-udpWDPW33wjTjNYbRgGEEl9S34kxumHg3Q84o6eJYMape2iCo9Y>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 3C202234007B; Thu, 8 Jun 2023 19:27:53 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-447-ge2460e13b3-fm-20230525.001-ge2460e13
Mime-Version: 1.0
Message-Id: <57fb06ff-0791-459c-9ea1-12149616f82c@betaapp.fastmail.com>
In-Reply-To: <CAPDSy+4dXuF1YTWAC+v0dAVF5E=+D45v35vL69od718KzAWKqQ@mail.gmail.com>
References: <CAG3f7Mi=QVLNdxL5LWxzf-2uAT8KO9B-NWFoaM_HHOvpiPzbRA@mail.gmail.com> <SA1PR00MB1461642051E1C9091088F2D8F750A@SA1PR00MB1461.namprd00.prod.outlook.com> <CAPDSy+4dXuF1YTWAC+v0dAVF5E=+D45v35vL69od718KzAWKqQ@mail.gmail.com>
Date: Fri, 09 Jun 2023 09:27:32 +1000
From: Martin Thomson <mt@lowentropy.net>
To: ietf-http-wg@w3.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=64.147.123.26; envelope-from=mt@lowentropy.net; helo=wnew1-smtp.messagingengine.com
X-W3C-Hub-DKIM-Status: validation passed: (address=mt@lowentropy.net domain=lowentropy.net), signature is good
X-W3C-Hub-DKIM-Status: validation passed: (address=mt@lowentropy.net domain=messagingengine.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-6.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1q7P2t-0088QN-Na 2f89fc76103cf2aa219db60ab155bfcb
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Request-Off-The-Record Mode header
Archived-At: <https://www.w3.org/mid/57fb06ff-0791-459c-9ea1-12149616f82c@betaapp.fastmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51145
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

I am a staunch opponent of the use of consent for this sort of thing.  Notice, perhaps, I might be able to get behind.

To manage risk of destroying potential audit trails, it seems like it would be reasonable for browsers to ignore the signal if the site took actions that might result in permanent effects (like downloads of malware, use of powerful features that do require consent, that sort of thing).  The browser might retain *less* information, and create warnings if it does, but accountability is important.

HTTP WG seems fine as a destination (for some reason my instinct was DISPATCH, but I couldn't work out why I thought that).

On Fri, Jun 9, 2023, at 07:51, David Schinazi wrote:
> This sounds very useful for the domestic violence resources use case, 
> but at the same time I could imagine malware websites abusing it to 
> erase traces of how a machine got infected. Would it be possible to get 
> user consent per origin for this?
> David
>
> On Thu, Jun 8, 2023 at 2:42 PM Eric Lawrence 
> <Eric.Lawrence@microsoft.com> wrote:
>> This generally seems useful. ____
>> __ __
>> I can foresee some user confusion if a user encountered the interstitial page when visiting the target site in InPrivate/Incognito mode, but I also wouldn’t want to skip the interstitial page in those privacy modes (because it could be abused as an oracle that would reveal to the site whether a visitor is using a Private Mode already). 
>> 
>> In Chromium-based browsers, browser extensions are disabled by default while in Private Mode. It does not look like you propose to disable extensions from interacting with “Off-the-record” sites?____
>> __ __
>> *From:* Shivan Kaul Sahib <shivankaulsahib@gmail.com> 
>> *Sent:* Thursday, June 8, 2023 2:14 PM
>> *To:* public-webappsec@w3.org; HTTP Working Group <ietf-http-wg@w3.org>
>> *Subject:* Request-Off-The-Record Mode header____
>> __ __
>> You don't often get email from shivankaulsahib@gmail.com. Learn why this is important <https://aka.ms/LearnAboutSenderIdentification>____
>> Hi folks, this is a head's up and early request for feedback:  ____
>> __ __
>> Brave is shipping support for an HTTP response header sent by a website that wants the client to treat the website as "off-the-record" i.e. not store anything in storage, not record the site visit in history etc. Kind of like incognito/private browsing mode but site-initiated and only for a specific website. The header is simple: it would look like `Request-OTR: 1`. Some details here: https://brave.com/privacy-updates/26-request-off-the-record/#request-otr-header. Currently we bootstrap for websites that have expressed interest in this (mainly websites that have help resources for domestic violence victims, which was the driving use-case) by preloading a list of websites into the browser, but it would be nice to standardize the header. We're considering doing the work in the HTTP WG at IETF: it's envisioned to be a simple header.
>> 
>> I see that this idea was previously discussed in W3C WebAppSec: https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/0016.html, and there was a draft Mozilla spec: https://wiki.mozilla.org/Security/Automatic_Private_Browsing_Upgrades, though as a CSP directive. ____
>> __ __
>> Happy to hear what people think.____
>> __ __
>> __ __

v2.23.0 | Report a Bug | By Email