SummaryDPR, Width, and Viewport-Width hints enable proactive content negotiation between client and server, enabling automated delivery of optimized assets - e.g. auto-negotiating image DPR resolution, image size, and other optimized assets based on signals such as client's viewport width. For more details, see [1], [2].MotivationImages account for the bulk of transferred bytes [3] and provided hints enable automated negotiation and delivery of optimized asset variant based on DPR, display width of the resource (when it is known at request time), and client's viewport width. In some scenrios, markup-based responsive images solutions are not sufficient: the requirement to modify and update all existing pages may be extremely expensive for legacy web sites, and some developers prefer to keep image optimization outside of markup and handle it in lower layers via content-negotiation. For more details, see [1], [2].
Compatibility RiskLow. Provided hints are opt-in [4] and delivered on best-effort basis; there is no additional overhead for sites that don't choose to leverage these hints.
Safari: Mixed signals.Ongoing technical constraintsShipping these features is currently blocked on crbug.com/434477 since it would result in wrong values being sent on Android.Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?Yes.OWP launch tracking bug?Link to entry on the feature dashboardRequesting approval to ship?Yes.
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CACj%3DBEi8S%3DC_HTigNyKNCLZuvy1yN5yLgqv_P72eAphdtYqzBA%40mail.gmail.com.
On Fri, Jun 19, 2015 at 1:00 PM, Yoav Weiss <yo...@yoav.ws> wrote:It doesn't seem like there's anything substantive in the spec about the privacy implications, other than two sentences under Security Considerations.It seems at least worth calling out explicitly, even though https://www.chromium.org/Home/chromium-security/client-identification-mechanisms and http://www.w3.org/wiki/Fingerprinting existFor example, https://w3ctag.github.io/security-questionnaire/ has a good set of questions that should ideally be documented in the spec ;)
I do think that both Downlink and Quality have some real issues, so the intent is that you'll send separate intents for those, if at all, right?
There's also venue questions - This is presented as an Informational document, rather than as a [potential] Standards Track document. It follows the IETF's RFC form, but suggests it belongs in the Network Working Group, rather than the HTTP working group. Why? What's the reaction from non-browser vendors to this extension of HTTP semantics?
What about the implications for forward load balancers or caching proxies? We've seen other features (such as SDCH) interact quite negatively with these. Should this be limited to Secure contexts, not because of the security considerations (although there's arguably ambient privacy arguments for this based on the nature of how this exposes additional passive information leakage), but because of the implementation issues?
Compatibility RiskLow. Provided hints are opt-in [4] and delivered on best-effort basis; there is no additional overhead for sites that don't choose to leverage these hints.This isn't, strictly speaking, true, is it? There is overhead in the Request bodies, even if minor.
Header naming seems to have been raised by multiple vendors. I'd be curious to see what degree of review this has gotten from the wider HTTP community (aka the HTTP WG, where such a document will inevitably be proposed). I'm very much afraid that the current header names would ossify nearly immediately, and we'd end up being unable to address these.
There's also risk with the fact that there's bad interactions unless Vary is employed, and that this adds real risk to the HTTP caching layer, right? That is, imagine we go down this route and implement, and six months later, we decide it was a failed experiment or that there are insurmountable design issues that cause us to remove support. What are the implications to our users' caches when we do this? What steps can we proactively take to mitigate those implications while still allowing the ongoing experimentation and information gathering?
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CADXXVKrwoOffGFNs5WwTFUWA%2BvEv3tvgEJo9d6T7B-epjYObkQ%40mail.gmail.com.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
This is not my area of expertise, but I tried to follow the webkit-dev discussion:The final message from Maciej is still largely negative, in my reading. Is implementation proceeding in WebKit and what do you think the chances of getting this shipped in WebKit are? (For those not following links, Yoav is driving the feature in WebKit too.)
In that thread your said "That's up for the browser" and "it's skimpy on browser related details." Can't the spec just define everything so that we can get interoperable implementations? If the IETF doesn't allow you to for process reasons, perhaps another venue or a companion spec would be an option?
On Mon, Jun 29, 2015 at 2:31 PM, Philip Jägenstedt <phi...@opera.com> wrote:This is not my area of expertise, but I tried to follow the webkit-dev discussion:The final message from Maciej is still largely negative, in my reading. Is implementation proceeding in WebKit and what do you think the chances of getting this shipped in WebKit are? (For those not following links, Yoav is driving the feature in WebKit too.)I plan to continue and push the implementation in WebKit.
In that thread your said "That's up for the browser" and "it's skimpy on browser related details." Can't the spec just define everything so that we can get interoperable implementations? If the IETF doesn't allow you to for process reasons, perhaps another venue or a companion spec would be an option?A "browser implementation" document is on my TODO list as a separate document from the spec.
On Mon, Jun 29, 2015 at 5:17 PM, Yoav Weiss <yo...@yoav.ws> wrote:On Mon, Jun 29, 2015 at 2:31 PM, Philip Jägenstedt <phi...@opera.com> wrote:This is not my area of expertise, but I tried to follow the webkit-dev discussion:The final message from Maciej is still largely negative, in my reading. Is implementation proceeding in WebKit and what do you think the chances of getting this shipped in WebKit are? (For those not following links, Yoav is driving the feature in WebKit too.)I plan to continue and push the implementation in WebKit.Is that to say patches are landing, or is progress in WebKit effectively blocked on getting this into Blink? (Trying to figure out what to make of the reluctance shown on webkit-dev.)
In that thread your said "That's up for the browser" and "it's skimpy on browser related details." Can't the spec just define everything so that we can get interoperable implementations? If the IETF doesn't allow you to for process reasons, perhaps another venue or a companion spec would be an option?A "browser implementation" document is on my TODO list as a separate document from the spec.It sounds like this would effectively be part of the spec. What kinds of things would it say, how likely is it that requirements that come from this add-on spec would result in interesting feedback from other browser vendors?
(Off-topically, I'm also curious to know why it is a separate document, i.e. is it a natural layering corresponding to layers of the implementation, or is it just a process problem?)
On Mon, Jun 29, 2015 at 10:58 PM, Philip Jägenstedt <phi...@opera.com> wrote:On Mon, Jun 29, 2015 at 5:17 PM, Yoav Weiss <yo...@yoav.ws> wrote:On Mon, Jun 29, 2015 at 2:31 PM, Philip Jägenstedt <phi...@opera.com> wrote:This is not my area of expertise, but I tried to follow the webkit-dev discussion:The final message from Maciej is still largely negative, in my reading. Is implementation proceeding in WebKit and what do you think the chances of getting this shipped in WebKit are? (For those not following links, Yoav is driving the feature in WebKit too.)I plan to continue and push the implementation in WebKit.Is that to say patches are landing, or is progress in WebKit effectively blocked on getting this into Blink? (Trying to figure out what to make of the reluctance shown on webkit-dev.)I have one in-flight patch, which was followed by further discussion. I'm hoping that after Blink support and usage in the wild (which will hopefully be followed by Gecko and Edge, both supportive of the feature), the use-case for the feature would be clearer to the WebKit folks.
In that thread your said "That's up for the browser" and "it's skimpy on browser related details." Can't the spec just define everything so that we can get interoperable implementations? If the IETF doesn't allow you to for process reasons, perhaps another venue or a companion spec would be an option?A "browser implementation" document is on my TODO list as a separate document from the spec.It sounds like this would effectively be part of the spec. What kinds of things would it say, how likely is it that requirements that come from this add-on spec would result in interesting feedback from other browser vendors?I mostly want to specify things like:* Where do the values of `Width` come from* How does this spec play nicely with image preloading* Reactivity to viewport changes* etc
(Off-topically, I'm also curious to know why it is a separate document, i.e. is it a natural layering corresponding to layers of the implementation, or is it just a process problem?)My understanding is that since the current spec is aimed to be an IETF spec, it should not include any details specific to browsers. I'll defer to Ilya for more details.
On Tue, Jun 30, 2015 at 9:22 AM, Yoav Weiss <yo...@yoav.ws> wrote:I mostly want to specify things like:* Where do the values of `Width` come from* How does this spec play nicely with image preloading* Reactivity to viewport changes* etcYes, where does the Width value come from? :)
Is this something that could be put together before this is shipped? Perhaps tentative support to ship first would be good so that you're not wasting your time.Is the intent to flip ClientHints from status=experimental to stable? That would also enable some support for the Content-DPR header.
It looks like that only affects layout and not HTMLImageElement.naturalWidth/Height, which seems wrong.
There's no spec for it, but presumably you would want it to behave more like <video>, where there's videoWidth/Height that is consistently used in layout, canvas and APIs, and the actual pixel dimensions are unknown.(Off-topically, I'm also curious to know why it is a separate document, i.e. is it a natural layering corresponding to layers of the implementation, or is it just a process problem?)My understanding is that since the current spec is aimed to be an IETF spec, it should not include any details specific to browsers. I'll defer to Ilya for more details.A spec-related question. Is the intention that servers begin to send the Accept-CH header and that clients then send these new headers with every request?
I assume this has been discussed, but why aren't the new headers simply included in fetch contexts where are an image response is expected?
Will these additions have any effect at all when navigating directly to an image?
It might be the first request to the server, and the response could be anything. If the response includes Accept-CH, might reloading cause another response to be sent the second time?
The alternative that I think should be considered is to always send the new headers with image requests.
1) I'm concerned about W3C vs IETF process points again, and that the current route of the documents don't necessarily have the same level of expert review about the broader implications. I would hope, as a sign of standards maturity, there was some sign of IETF discussion/review/interest, perhaps in the case of preliminary expert review. More specifically, I want to make sure we're taking the "big picture" impact of HTTP flows :)
2) As this discussion has already captured, I think there's a lot in flux and a lot simply unknown / that will be bugged with these headers. My gut is still "here be dragons", and while I know it's unfair to those excited for it, I don't think I really have the time to dig in to figure out where they are and whether or not they're just very noisy lizards with projectors. However, by virtue of the purpose of these headers, we won't really get feedback / explore these sharp edge cases unless/until sites can start using/adopting this, and so we're in a chicken/egg problem.For things Google is interested in, there's no question that teams frequently 'cheat' the process by whitelisting features/APIs for .google.com domains, and then use a mix of Finch & UMA (Googler only) to measure the impact, along with their implementation experience. I don't think that's a good state either, but it's at least a somewhat 'controlled' way of knowing you can remove a feature later (even if some Google teams end up making their infrastructure depend on some experimental feature such that it's not removable by Chromium developers :/). I know there was discussion in the past about enabling features 'conditionally' for users (50/50 splits and the like), although I'm not sure whatever happened to that or if that's now frowned upon.I would say that given this variability, we should try to 'ship' it some place as minimal as possible, which is why I like the image context.3) The Accept-CH issues raised by Philip are concerning, and definitely feel like added complexity and a constant source of future bugs. The alternative, sending the header on every request, is understandably undesirable for performance. One way to mitigate this would only be to enable this on HTTP/2 connections (thus benefit from HPACK), avoiding adding latency to HTTP/1 connections that would have to send this header on every (possibly image) request.
4) As with any/every change of networking, I'm concerned about the (public) ability to watch for performance regressions. For example, if it ended up that we were adding 60-80 bytes every request, and that ended up causing 1-2ms delays in requesting, I'm not confident that there's sufficient (public) infrastructure to capture that. Finch/UMA again are the traditional methods here, but the web-visible part makes this hard.This is my long way of saying that, if we're ever going to do anything in this space, we're going to eventually have to ship it and see if it falls flat on its face / ruins the Internet. My hope is that we take as measured an approach as possible, sufficient to get feedback, and that we have strong ownership/sponsorship that is able to define the criteria to say 'no, we should pull this out', and not just the criteria to say 'yes', and look at how things turn out.
If the header is going to be sent on all image requests (a fairly large number of requests), can it also be sent on requests for the main resource. Most web pages have much more than 1 image, so doing this wouldn't substantially increase the number of images. Doing so opens up a bunch of possibilities (eg, allowing a server to decide how much data to ship to the client in the initial request based on their viewport size).
I think this should be discussed. Sending a header on every request isn't necessarily a deal-breaker with HTTP/1 if it's small, and some people may even feel that it's OK to give people an incentive to move to /2.
Giving sites control over when the browser uses these features helps collect that data. I hear what you're saying about Accept-CH. What about having a well-known location that holds site-wide metadata like this, so that the browser can request it on a background thread in a non-blocking fashion (sending the header until it knows the site hasn't opted out)? Every time this sort of approach has come up before, browsers have been reluctant to make that other request, but I figure eventually there'll be enough interesting use cases to top the balance.
The first two points sound good to me. What precisely counts as an image context, though? Is it the "image" and "imageset" contexts in Fetch, requests that are categorized as "img-src" in CSP, or something else?On Tue, Jul 7, 2015 at 8:30 AM, Yoav Weiss <yo...@yoav.ws> wrote:OK, so according to the above, I propose the following changes:* Eliminate `Accept-CH` response header* Always send hints on image context requests* (optional) Always send hints on navigational requests (to address the "user browsed to an image URL directly" use-case)If that's acceptable, I'll go ahead with the code and documentation changes.
The third is not so obvious, it would be similar to always sending a "Range: bytes=0-" header with navigational requests to improve the case when it's a video. I'd lean towards not doing that until it's more clear that there's a problem.
There is one more thing we discussed on IRC that would be good to capture on the list: what is the use case for sending the Viewport-Width header? Since Width would match Viewport-Width in the absence of the sizes attribute, when would one take Viewport-Width into account in addition to Width?
On Tue, Jul 7, 2015 at 3:39 PM, Yoav Weiss <yo...@yoav.ws> wrote:On Tue, Jul 7, 2015 at 2:14 PM, Philip Jägenstedt <phi...@opera.com> wrote:Would it make sense for Width to fall back to the viewport width in the absence of the sizes attribute? I think this would correspond to "If the above algorithm exhausts unparsed sizes list without returning a size value, return 100vw" in parse a sizes attribute.On Tue, Jul 7, 2015 at 2:17 PM, Yoav Weiss <yo...@yoav.ws> wrote:On Tue, Jul 7, 2015 at 9:58 AM, Philip Jägenstedt <phi...@opera.com> wrote:The first two points sound good to me. What precisely counts as an image context, though? Is it the "image" and "imageset" contexts in Fetch, requests that are categorized as "img-src" in CSP, or something else?On Tue, Jul 7, 2015 at 8:30 AM, Yoav Weiss <yo...@yoav.ws> wrote:OK, so according to the above, I propose the following changes:* Eliminate `Accept-CH` response header* Always send hints on image context requests* (optional) Always send hints on navigational requests (to address the "user browsed to an image URL directly" use-case)If that's acceptable, I'll go ahead with the code and documentation changes.I'm fine with either.The third is not so obvious, it would be similar to always sending a "Range: bytes=0-" header with navigational requests to improve the case when it's a video. I'd lean towards not doing that until it's more clear that there's a problem.OK.There is one more thing we discussed on IRC that would be good to capture on the list: what is the use case for sending the Viewport-Width header? Since Width would match Viewport-Width in the absence of the sizes attribute, when would one take Viewport-Width into account in addition to Width?`Width` is not sent when there's no `sizes` attribute. Viewport-Width is sent in all cases, and can be used as a weaker hint in the absence of the stronger hint which is `Width`.As discussed elsewhere, it would amount to using only the output of a shared algorithm both in the client-side algorithm and in server-side implementations. To send both one of the inputs and the output of the algorithm to the server makes we wonder what the server will do with the extra information that isn't done on the client.This is how it was defined before comments from Apple suggested that it'd be better to split the values up, so that the server side has a better notion of the value it is getting.Do you agree that it is better to split them up?
1) I'm concerned about W3C vs IETF process points again, and that the current route of the documents don't necessarily have the same level of expert review about the broader implications. I would hope, as a sign of standards maturity, there was some sign of IETF discussion/review/interest, perhaps in the case of preliminary expert review. More specifically, I want to make sure we're taking the "big picture" impact of HTTP flows :)
We talked about this in our last WG meeting, and there was pretty strong interest. One of the blockers for adopting it has been waiting for Key; I'm thinking it might be good to decouple them (in the WG -- i.e., go ahead and start on CH) if that would help.Ilya, WDYT? I'm happy to talk about it in Prague and do a call for adoption shortly thereafter.
Do you have a specific sense of the risks that implementing this on the main request (vs just images) would bring. From the point of view of a website provider, if we find that the Client Hint headers are inaccurate, we'd just ignore them on browser versions known to be bad.I'm all for launching this cautiously, just curious what kinds of risks you see in sending on the main document and how those would be debugged by doing a softer launch.
On the client side, the breakage caused by weirdnesses with respect to the Cache for <img> tags will be less than the breakages caused by weirdness for main documents (that is, better to have botched images than a botched page, right?). The document has the whole signalling issue with Accept-CH, which we can already see.
On the privacy side, I think Accept-CH being able to induce user viewport leakage to third-party passive content is quite questionable. I'd like to better understand the information leakage here to third-parties, especially since http://igrigorik.github.io/http-client-hints/ doesn't seem to mention privacy at all. By avoiding it for the main document in the initial implementation, we give more time to have the privacy discussion while perhaps mitigating some of those concerns.
Re, sending hints to third-party origins: this is critical, as many/most image and other assets are hosted on static CDNs and/or optimization services (also, sharding..).
On Wed, Jul 8, 2015 at 8:31 AM, Ilya Grigorik <igri...@google.com> wrote:Re, sending hints to third-party origins: this is critical, as many/most image and other assets are hosted on static CDNs and/or optimization services (also, sharding..).Considering how much work is being spent on resolving linkability between first-party and third-party contexts, and considering that this passively leaks information (Viewport-Width) that is [seemingly?] otherwise unavailable except for active script, this does seem to be a strange privacy tradeoff.
On Wed, Jul 8, 2015 at 8:31 AM, Ilya Grigorik <igri...@google.com> wrote:Re, sending hints to third-party origins: this is critical, as many/most image and other assets are hosted on static CDNs and/or optimization services (also, sharding..).Considering how much work is being spent on resolving linkability between first-party and third-party contexts, and considering that this passively leaks information (Viewport-Width) that is [seemingly?] otherwise unavailable except for active script, this does seem to be a strange privacy tradeoff.
Perhaps you can add a Privacy Considerations section? ;) [The same applies to DPR & Downlink]. Perhaps thinking about the questions posed by https://w3ctag.github.io/security-questionnaire/ ?