Re: Request-Off-The-Record Mode header

[Mike West <mkwst@google.com>]

Thanks for sending this proposal over. I think it's interesting to both
folks in HTTPWG and WebAppSec, though it seems to me that the protocol
definition is fairly straightforward, while the privacy and implementation
considerations for user agents are likely the important part of the
proposal.

WebAppSec's next meeting is on the 21st. If you're interested in presenting
it there for discussion, I think we'll have room in the agenda:
https://github.com/w3c/webappsec/issues/624.

-mike


On Mon, Jun 12, 2023 at 8:56 AM Shivan Kaul Sahib <shivankaulsahib@gmail.com>
wrote:

> Hey Caleb,
>
> On Thu, 8 Jun 2023 at 14:58, Caleb Queern <cqueern@gmail.com> wrote:
>
>> This feels very similar to what <ahem> some have said about the
>> Clear-Site-Data header both in its utility and risks.
>>
>
> I think one big difference between Off-The-Record and Clear-Site-Data is
> that Off-The-Record is preventative, while Clear-Site-Data is sent after
> the fact. Also, in the case of Clear-Site-Data, the website specifies
> what to clear, while with Off-The-Record the website leaves it up to the
> user agent.
>
>>
>> On Thu, Jun 8, 2023 at 4:52 PM David Schinazi <dschinazi.ietf@gmail.com>
>> wrote:
>>
>>> This sounds very useful for the domestic violence resources use case,
>>> but at the same time I could imagine malware websites abusing it to erase
>>> traces of how a machine got infected. Would it be possible to get user
>>> consent per origin for this?
>>> David
>>>
>>> On Thu, Jun 8, 2023 at 2:42 PM Eric Lawrence <
>>> Eric.Lawrence@microsoft.com> wrote:
>>>
>>>> This generally seems useful.
>>>>
>>>>
>>>>
>>>> I can foresee some user confusion if a user encountered the
>>>> interstitial page when visiting the target site in InPrivate/Incognito
>>>> mode, but I also wouldn’t want to skip the interstitial page in those
>>>> privacy modes (because it could be abused as an oracle that would reveal to
>>>> the site whether a visitor is using a Private Mode already).
>>>>
>>>> In Chromium-based browsers, browser extensions are disabled by default
>>>> while in Private Mode. It does not look like you propose to disable
>>>> extensions from interacting with “Off-the-record” sites?
>>>>
>>>>
>>>>
>>>> *From:* Shivan Kaul Sahib <shivankaulsahib@gmail.com>
>>>> *Sent:* Thursday, June 8, 2023 2:14 PM
>>>> *To:* public-webappsec@w3.org; HTTP Working Group <ietf-http-wg@w3.org>
>>>> *Subject:* Request-Off-The-Record Mode header
>>>>
>>>>
>>>>
>>>> You don't often get email from shivankaulsahib@gmail.com. Learn why
>>>> this is important <https://aka.ms/LearnAboutSenderIdentification>
>>>>
>>>> Hi folks, this is a head's up and early request for feedback:
>>>>
>>>>
>>>>
>>>> Brave is shipping support for an HTTP response header sent by a website
>>>> that wants the client to treat the website as "off-the-record" i.e. not
>>>> store anything in storage, not record the site visit in history etc. Kind
>>>> of like incognito/private browsing mode but site-initiated and only for a
>>>> specific website. The header is simple: it would look like `Request-OTR:
>>>> 1`. Some details here:
>>>> https://brave.com/privacy-updates/26-request-off-the-record/#request-otr-header. Currently
>>>> we bootstrap for websites that have expressed interest in this (mainly
>>>> websites that have help resources for domestic violence victims, which was
>>>> the driving use-case) by preloading a list of websites into the browser,
>>>> but it would be nice to standardize the header. We're considering doing the
>>>> work in the HTTP WG at IETF: it's envisioned to be a simple header.
>>>>
>>>> I see that this idea was previously discussed in W3C WebAppSec:
>>>> https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/0016.html,
>>>> and there was a draft Mozilla spec:
>>>> https://wiki.mozilla.org/Security/Automatic_Private_Browsing_Upgrades,
>>>> though as a CSP directive.
>>>>
>>>>
>>>>
>>>> Happy to hear what people think.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>