IETF Logo Mail Archive

Re: Working Group Last Call: HTTP Client Hints

Julian Reschke <julian.reschke@gmx.de> Sun, 23 February 2020 13:20 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B3513A0F3B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 23 Feb 2020 05:20:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.65
X-Spam-Level:
X-Spam-Status: No, score=-2.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1chhe8ycqL9x for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 23 Feb 2020 05:20:22 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B42833A0F06 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 23 Feb 2020 05:20:22 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1j5r8I-0003bo-Pw for ietf-http-wg-dist@listhub.w3.org; Sun, 23 Feb 2020 13:17:18 +0000
Resent-Date: Sun, 23 Feb 2020 13:17:18 +0000
Resent-Message-Id: <E1j5r8I-0003bo-Pw@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <julian.reschke@gmx.de>) id 1j5r8C-0003b2-FW for ietf-http-wg@listhub.w3.org; Sun, 23 Feb 2020 13:17:12 +0000
Received: from mout.gmx.net ([212.227.17.22]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <julian.reschke@gmx.de>) id 1j5r89-0006Qw-Rj for ietf-http-wg@w3.org; Sun, 23 Feb 2020 13:17:12 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1582463809; bh=Rfj5hjgbeDBI2YgJkwMVrIMGvjYUn+sryOdRSdvGUHs=; h=X-UI-Sender-Class:Subject:To:Cc:References:From:Date:In-Reply-To; b=W/FktP5U1FWUle7ROpzzQyUbIuz0Wp7FRgm+56VsQ4f7FkdizHBZRkf2OGVBsfhf4 9kUnynWG1C5cJpylRNpoSWdgzwvxPwMlMN6dADzU3aVQkfo4dg42d3EC6VjE9ZVJxf p7pDbBmtjSyipdI3+zk2Rj/9nbfOpwYZ00t21L3g=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.178.124] ([84.171.153.104]) by mail.gmx.com (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1M7JzQ-1j4jbZ2OS4-007n9x; Sun, 23 Feb 2020 14:16:49 +0100
To: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Cc: Tommy Pauly <tpauly@apple.com>
References: <5051090A-C16C-474E-A1F8-437A562B1279@mnot.net>
From: Julian Reschke <julian.reschke@gmx.de>
Message-ID: <543e0e07-fb81-8b9c-f236-f8c6d71c1e4a@gmx.de>
Date: Sun, 23 Feb 2020 14:16:49 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <5051090A-C16C-474E-A1F8-437A562B1279@mnot.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:skbsK78VuSwwED0o2bw0BnVNU4Ncg8N87m+20Zf1CYERkc+fzwD kiKxEggcgGvLRoUYe+edp+8aENnUnFVqyKqsfcN4/O73JNwp/xYISPatSKFmi83GSilLbL5 cDaXTZScJbppW0yt7L/GTZrEHJJ/WWzR6odaJydE6mCdn2S4BoypcgSGD75/FnDuuT4YgrQ TPPDgtjKtEsXDhIzRRdSg==
X-UI-Out-Filterresults: notjunk:1;V03:K0:gLIr4vXCHt0=:VWgiL1Ko4RrCDrpfANPg87 ZF4n3rooKsH4cs1G9FtXBWAAy0YxPSWkGoFpdV3reftAv3D6mm1oEoTSK2BWav+PnrwtvT2YH F6KeEHS+FhrVRcWzrwfo/snzE/m/Tr9EPH6H1gHM9G9yRgOYEVHj3D6ccEu8f3DoM9xAgYjFj b/FYkYQEqGSZVif9S9lcpy1avF6A5imj+4x5DrvAieUfsnUIi0s/omyku6+8HYbcb/IVMFR2d eNlA5XEgW7SLRBUnRpgGGenwqxXnxHtShjLXCL21NBowbn3KlFfIr8BZ4A1T1Bv/BDX5uUxOA bUcwvSchCZ9jnEbtK57KPh3t3ydsnlOrLbwrgLNQT+aX/dWf1/tjRCiAoXA8T6ZY9xs8/F8X8 E+XkNCleAmq6A1gfqF+xffAsVAxNXXmQkIKhZ1l3BTsmwZxKCeeAihUnQUAAOoCFRC1GN5bVJ k02+DxFzLx5U9GRQDKiKg5CXu6JgQR3HRRpSeRULeH9RpEPnUrXRnEt7qClvF3Fc9SNY41isJ et4yVTg1ygiRsAGZ9YVGbHeUfp7isVyiwluoJ5dAYtjjShuSKaDSAPQdWaCAiEEfnBZmhF5Lv QQ2IDNZeGEKCMeZwTWFgnsmiH2b9nuzAWfk0eEVA2ME8fROaN2tfYJqaICcXCS/6ADh1HQywv 1NUkcaZw6sGgs2tlrhEx0RdenJVQQOe/4fcgv1RU5f63k1qHLBwLoOT+yFnjfpg4lzCMCto/t hfxvq2z449UwDJb46rCxL33dVriyqso+qkeu58DIrduvHhHrXH8HBktCnzASn9HyiHUDXpRUy 2e50933ClBZfdd8T04C8OLvgAuHdT/dYLN/qAOTJ/xKayWFRvY5eNzdsC6/0mTqIqsKdl03/1 Swv8l6X48lzW6aFow2fkcnBQffVAdVOmUjSBPBpaiRoEnPKLr24xYGBpP45bukTIuedwUL2NR bgvC218O2Qll080AwCj7yIioxnCRk6x1k2uP3QDed+gujTGJOCpIPBxbXAXU6m9aZNIwVyTXo HWXysVYxqJdGNXhawKWL/jXeLvPmj6OTGNgpX6sDQk2zH8qNvUA0DDdMBi/JxIb4BX4VepNDy DM/5sOopj0Eupbed6tYdhKuJ5dRWnQxFSyoMMrhHVOgTM8Oaf9ATHsmgzLPa42WF6vbZjcUX4 oKsA/i3QjrWxjnHh3J01xUUy9iXVyakK+qPHjgDgd4I6aDtLunQHJbbxlPVoE7Srt4VYkXHo2 9UEtePYARgfLp4FQF
Received-SPF: pass client-ip=212.227.17.22; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-Spam-Status: No, score=-8.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1j5r89-0006Qw-Rj b82bce3ae27485f987a3146ba8a455a9
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Working Group Last Call: HTTP Client Hints
Archived-At: <https://www.w3.org/mid/543e0e07-fb81-8b9c-f236-f8c6d71c1e4a@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37376
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 18.02.2020 05:09, Mark Nottingham wrote:
> ...

Here's my feedback:

Terminology: please use "header field" or "field" consistently.

In Section 1:

    well as dynamic user and client preferences.  Applications that want
    to allow the server to optimize content delivery and user experience
    based on such capabilities have, historically, had to rely on passive
    identification (e.g., by matching User-Agent (Section 5.5.3 of
    [RFC7231]) header field against an established database of client
    signatures), used HTTP cookies and URL parameters, or use some
    combination of these and similar mechanisms to enable ad hoc content
    negotiation.

Please add refernce to Cookie spec.

    However, proactive content negotiation requires clients to send these
    request headers prolifically.  This causes performance concerns
    (because it creates "bloat" in requests), as well as privacy issues;
    passively providing such information allows servers to silently
    fingerprint the user agent.

FWIW, it doesn't really *require* them to be send prolifically; it's
just the easiest way to do so.

If there was a requirement for that, *this* spec by definition couldn't
exist.

    This document defines the Client Hints infrastructure, a framework
    that enables servers to opt-in to specific proactive content
    negotiation features, which will enable them to adapt their content
    accordingly.  However, it does not define any specific features that
    will use that infrastructure.  Those features will be defined in
    their respective specifications.

It would be great if this could link to at least one example of those.

In 1.1.:

    This document uses the Augmented Backus-Naur Form (ABNF) notation of
    [RFC5234] with the list rule extension defined in [RFC7230],
    Appendix B.  It includes by reference the DIGIT rule from [RFC5234]
    and the OWS and field-name rules from [RFC7230].

No, it doesn't.

In Section 2:

    A Client Hint request header field is a HTTP header field that is
    used by HTTP clients to indicate configuration data that can be used
    by the server to select an appropriate response.  Each one conveys
    client preferences that the server can use to adapt and optimize the
    response.

Is it really always "configuration data"?

2.1.  Sending Client Hints

    Clients control which Client Hints are sent in requests, based on
    their default settings, user configuration, and server preferences.
    The client and server can use an opt-in mechanism outlined below to
    negotiate which fields should be sent to allow for efficient content
    adaption, and optionally use additional mechanisms to negotiate
    delegation policies that control access of third parties to same
    fields.

    Implementers should be aware of the passive fingerprinting
    implications when implementing support for Client Hints, and follow
    the considerations outlined in "Security Considerations" section of
    this document.

General comment: it seems to me that BCP14 keywords are uppercased
somewhat randomly...

    Implementers should be aware of the passive fingerprinting
    implications when implementing support for Client Hints, and follow
    the considerations outlined in "Security Considerations" section of
    this document.

Please make this a proper xml2rfc link...


Section 3.:

    Servers can advertise support for Client Hints using the mechnisms
    described below.

a) a/mechnisms/mechanisms/
b) looks like a single mechanism to me, actually


In 3.1:

    The Accept-CH response header field or the equivalent HTML meta
    element with http-equiv attribute ([HTML]) indicate server support
    for particular hints indicated in its value.

A more precise reference might be good here. The HTML spec is really big.

    Accept-CH is a Structured Header [I-D.ietf-httpbis-header-structure].
    Its value MUST be an sh-list (Section 3.1 of
    [I-D.ietf-httpbis-header-structure]) whose members are tokens
    (Section 3.7 of [I-D.ietf-httpbis-header-structure]).  Its ABNF is:

There is no Section 3.7 there; maybe
<https://tools.ietf.org/html/draft-ietf-httpbis-header-structure-15#section-3.3.4>?

      Accept-CH = sh-list

    For example:

      Accept-CH: Sec-CH-Example, Sec-CH-Example-2

    When a client receives an HTTP response advertising support for
    provided list of Clients Hints, it SHOULD process it as origin
    ([RFC6454]) opt-in to receive Client Hint header fields advertised in
    the field-value, for subsequent same-origin requests.

RFC6454 appears as informative reference, but has a normative
requirement referencing it.

    For example, based on the Accept-CH example above, which is received
    in response to a user agent navigating to "https://example.com", and
    delivered over a secure transport: a user agent SHOULD persist an
    Accept-CH preference bound to "https://example.com" and use it for
    user agent navigations to "https://example.com" and any same-origin
    resource requests initiated by the page constructed from the
    navigation's response.  This preference SHOULD NOT extend to resource
    requests initiated to "https://example.com" from other origins.

Don't put normative keywords into examples. The requirements are alreay
defined earlier, right? For instance, say "will have to" instead of
"SHOULD".

In 3.1.1:

I'd make that Section 3.2.

In 4.1:

    o  Entropy

       *  Exposing highly granular data may help identify users across
          multiple requests to different origins.  Reducing the set of
          field values that can be expressed, or restricting them to an
          enumerated range where the advertised value is close but is not
          an exact representation of the current value, can improve
          privacy and reduce risk of linkability by ensuring that the
          same value is sent by multiple users.
    o  Sensitivity

       *  The feature SHOULD NOT expose user sensitive information.  To
          that end, information available to the application, but gated
          behind specific user actions (e.g. a permission prompt or user
          activation) SHOULD NOT be exposed as a Client Hint.
    o  Change over time

       *  The feature SHOULD NOT expose user information that changes
          over time, unless the state change itself is also exposed (e.g.
          through JavaScript callbacks).

The list is structured a bit strange. Maybe make it a definition list.


Appendix A.  Interaction with Variants Response Header Field

    Client Hints may be combined with Variants response header field
    [VARIANTS] to enable fine-grained control of the cache key for
    improved cache efficiency.  Features that define Client Hints will
    need to specify the related variants algorithms as described in
    Section 6 of [VARIANTS].

Unless we're planning to finish VARIANTS really soon, I'd drop this
appendix.

v2.23.0 | Report a Bug | By Email