Intent to Ship: User-Agent Client Hints "ch-ua-high-entropy-values" permissions policy
19 views
Skip to first unread message
Mike Taylor
10:22 AM (4 hours ago) 10:22 AM
to blink-dev
Contact
emails
mike...@chromium.orgExplainer
https://github.com/WICG/ua-client-hints/blob/main/README.md (probably
more useful to look at the Summary & Motivation)Specification
https://wicg.github.io/ua-client-hints/#ch-ua-high-entropy-valuesSummary
Adds
support for a 'ch-ua-high-entropy-values' permissions policy that
enables a top-level site to restrict which documents are able to
collect high-entropy client hints via the
navigator.userAgentData.getHighEntropyValues() JS API. Restricting
collection of high-entropy hints over HTTP is already possible via
existing per-client-hint permissions policies.Blink
component
Blink
> Network > ClientHintsWeb
Feature ID
ua-client-hintsMotivation
Currently
it's only possible to restrict third-party collection of
high-entropy User-Agent Client Hints when they're requested over
HTTP (via the various permissions policies associated with each
Client Hint, i.e., https://wicg.github.io/client-hints-infrastructure/#policy-controlled-features).
The permissions policy introduced in this change allows a
first-party site to have more control over which third-parties are
allowed to request high-entropy client hints via the
getHighEntropyValues JS API, which could be deployed alongside the
other permissions policies.Initial
public proposal
https://github.com/WICG/ua-client-hints/issues/151#issuecomment-783668130TAG
review
N/A:
UA-CH has already been reviewed by TAG, and this is a small,
incremental addition to the API.TAG
review status
Not
applicableRisks
Interoperability
and Compatibility
No
information providedGecko: Neutral (https://mozilla.github.io/standards-positions/#ua-client-hints) I haven't requested a new position for this small addition, since they don't support any of it, but they are neutral on the API itself.
WebKit: No signal (https://github.com/WebKit/standards-positions/issues/70#issuecomment-3488097085) No official position, as it's blocked on a position on Client Hints in general. But I have left a comment with a pointer to this feature.
Web developers: No signals
Other signals:
WebView
application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
N/ADebuggability
No
information providedWill
this feature be supported on all six Blink platforms (Windows,
Mac, Linux, ChromeOS, Android, and Android WebView)?
NoIs
this feature fully tested by web-platform-tests?
Yes
https://wpt.fyi/results/client-hints/permissions-policy?label=experimental&label=master&aligned Flag
name on about://flags
No
information providedFinch
feature name
ClientHintUAHighEntropyValuesPermissionPolicyRollout
plan
Will
ship enabled for all usersRequires
code in //chrome?
FalseTracking
bug
https://issues.chromium.org/issues/385161047Launch
bug
https://launch.corp.google.com/launch/4366844Estimated
milestones
| Shipping on desktop | 144 |
| Shipping on Android | 144 |
| Shipping on WebView | 144 |
Anticipated
spec changes
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
NoneLink
to entry on the Chrome Platform Status
https://chromestatus.com/feature/6176703867781120?gate=5312509740056576Links
to previous Intent discussions
Intent
to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d302cc34-870b-4978-a583-4918ee1631c0%40chromium.org
Reply all
Reply to author
Forward
0 new messages