-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrating some high-entropy HTTP request headers to Client Hints. #320
Comments
To what extent did you think through how this impacts CORS? As I understand it only Chrome has shipped Clients Hints and basically extended the CORS safelist of headers that can be sent cross-origin without preflight. This is specified to some extent, but there are major issues that are mostly left unaddressed. To then further build on it seems somewhat inappropriate. |
@annevk: Good question. I'm blindly assuming that whatever the Client Hints folks work out for CORS will make sense for these headers too. I kinda haven't been following along with that conversation... :( Perhaps @yoavweiss has? I recall that you and I discussed something along these lines for the CSP:EE work, and you suggesting that the |
Reportedly the client hints community also wants to be able to control these headers at times so |
Yeah, adding CORS request headers to the safelist has been a somewhat painful process. I'd be fine with requiring all future hints to switch to using a
At least the hints that Mike is discussing have no reasonable use-case for user-side manipulations. I need to revisit the user-side manipulations use-case and see if we can't:
|
I'll defer to folks who know what they're talking about, then. Some sort of prefix might make sense. And perhaps for these items in particular, we could decide that we don't want folks to be able to control them from JavaScript. Allowing folks to control the user agent, for instance, seems weird (though I guess we allow it today?). |
|
Aparently this is https://bugs.chromium.org/p/chromium/issues/detail?id=571722, which past-me said he was fine with as long as it required a preflight. Silly past-me. :) I think present-me would be happier if we chose not to make a replacement for |
I've updated both the But it also seems somewhat tangential to the question I'd like to discuss here: infrastructure to the side, are these hints good ideas? Or should we address |
I sketched these headers out in a little more detail in https://tools.ietf.org/html/draft-west-ua-client-hints and https://tools.ietf.org/html/draft-west-lang-client-hint. Feedback would be most welcome (also around the Fetch integration in particular, @annevk). |
I think I can find folks to implement some pieces of this in Chrome in the ~Q1 timeframe. If y'all have thoughts about how these APIs should be shaped, now would be a great time to pass them on. :) There's also a bit of discussion around where the underlying concepts should be defined in the HTTP WG thread at https://lists.w3.org/Archives/Public/ietf-http-wg/2019JanMar/0003.html. Y'all might have opinions? /ccing @torgo explicitly, since this has been sitting around for ~2 months. :) |
Intents to implement in Blink: https://groups.google.com/a/chromium.org/d/msg/blink-dev/vN-5SjwHPus/saJY6qwXDwAJ for |
I dont know the appropriate place to make this request, but one of the biggest pain points I see in web development with browsers is that there is absolutely no way for sure to know the viewport size of the requesting browser until after the first visit (where you can set cookies to hint to the server on subsequent requests). This issue severely handicaps any non-trivial web application that hopes to integrate SSR since the application must be completely responsive. The only alternative is to guess (read: To note, many devices now support "split screen" so guessing at the viewport size based on device type is more and more a bad idea. Similar issue (just for visibility AlecAivazis/redux-responsive#111) My proposal: I don't think its a security / tracking / fingerprinting concern to always pass on hints of the viewport size of the device, something along the lines of |
@chaffeqa: It's a bit tangential to this specific review request, which I'd like to keep focused on the two hints I'd like to add. Still, I think I agree that viewport information can be useful for content negotiation (and Chrome actually already ships a |
Makes sense to keep the discussion to the initial mentioned items. And thanks for the heads up on I'll try to find the appropriate place to ask if there is a solution / discussion on that front. Still excited to see movement in this area, thanks for taking it on! |
For Accept-Language, I'd rather have the server sending variants than requesting language preferences via client-hints. In that case, indicating to the server that you would like to be presented with multi-lingual options should be enough. |
Hey Mike! At today's Tokyo F2F, we had a great discussion about this proposal. We didn't dive too deeply into the technical proposal, but discussed the problem space at a high-level. As you might have expected, the TAG is supportive of efforts to reduce fingerprinting, especially passive fingerprinting which we think has a much smaller surface area that we can affect in the browser. Given this framing, we are actually quite happy to see this effort around the User Agent string (and Accept header) move forward. We believe it will be great to have the User Agent string (that is sent by default) ultimately have less-entropy by transitioning the entropy into opt-in client hints. We liked the fact that, as client hints, the client can be aware of which servers are asking for the extra entropy, and potential for fingerprinting that go with it. So... this is the official "thumbs-up" from the TAG. Please continue developing this proposal, and we look forward to being involved in future review requests! The is TAG, signing off. |
Hi Mike, Simple detail added. I see the UA would not be informing about the language to HTTP end points. Is that a problem? |
Correct. This is documented in https://tools.ietf.org/html/draft-west-lang-client-hint-00#section-3.1.
I don't think so. It means that language preferences will not be leaked over plaintext channels, reducing the opportunity for network attackers to build a profile of a given agent's behavior over time. Similarly, I'd like to limit the Do you think it's a problem? |
Guten TAG!
I'm requesting a TAG review of the general concept of migrating high-entropy HTTP request headers to the Client Hints infrastructure. I have two concrete proposals that I think make sense, but they make the most sense together as part of a broader story about reducing the passive fingerprinting surface available to both network attackers and servers.
Explainer, Requirements Doc, or Example code:
User-Agent
intoUA
,UA-Platform
,UA-Arch
, andUA-Model
Client Hints.Accept-Language
into aLang
Client Hint.Primary contacts: @mikewest, @thiemonagel
Further details (optional):
You should also know that there's some active disagreement about the value of Client Hints generally. We had a number of discussions on the topic at TPAC, and I hope I'm not overstating things to suggest that there was some level of agreement that the infrastructure of Client Hints might be a reasonable one to support, even in the face of substantial disagreement about the specific hints that the infrastructure might support.
We'd prefer the TAG provide feedback as (please select one):
Thanks folks! You're still my favorite architectural review body in the W3C!
The text was updated successfully, but these errors were encountered: