Use HTTP structured field values #6
Comments
|
I don't have strong feelings about this, but structured headers are mostly useful if you want to encode complex values (i.e. something beyond 1 / 0). Unless we expect to need something more complex in the future (which I'm nervous about, re the extension conversation) I don't see the value of adoption this yet-to-be-standardized approach. That said, sincerely, i dont have strong feelings about this, so if others are into it, im not going to argue :) |
|
Per @hober in the Privacy CG call
The easiest way to avoid this behavior would be to not use structured headers. Per our discussion with some of you today, I am closing this issue. Feel free to reopen. |
|
This was further discussed and it wasn't clear that @hober's assessment was correct. She seems to have been thinking of boolean fields in deeper structures, and not at the top level. It's still worth checking, this came back twice from two browser vendors — it's worth investigating. |
|
FYI, I tried implementing this with a not-widely used extension, After I put I'm posting that as an FYI, but it leads me to ask: are we saying that this should be in every single HTTP request? [Edit: Sebastian cleared up my confusion: Ignore: |
|
And is it intentional that we're not specifying a California-specific string? Good idea, or mistake? I've no idea, but choice should be intentional. |
Yes, that is the case. The GPC signal should be in every single HTTP request. The reasoning is exactly as you are describing, @elvey. We want to relieve the signal recipient from keeping state.
The
Intentional. You can think of GPC as a mechanism that by itself does not have a legal meaning. It will receive its legal meaning from laws and regulations. For example, under the California Consumer Privacy Act Regulations, a GPC signal means the opt out from the sale of personal information. However, the signal can have a different legal meaning under another law. Legislators and regulators will specify the meaning for their jurisdiction. |
That isn't true (with all deference to the otherwise perennially correct @hober)
I think it would be necessary in this approach, yes. I don't think that's an efficiency concern on the modern Web -- HPACK and QPACK will effectively amortise this to one transmission per connection, and (slightly) compress it in the process. WRT how many bytes; it's literally two bytes ( I think the extensibility question is the right thing to focus on here. If the value were under advertiser control (as |
Sorry for the noise caused by my terrible reading comprehension! |
|
I think we clarified this point and can move on as is, right? |
|
Another consideration that comes up routinely when dealing with HTTP fields is the potential for them to be repeated, which can happen by accident more often than expected. Under those conditions, it is possible that the values are combined. In this case, that could produce results like
I agree. Though we do want this to be easy to process, there is no guarantee that a very simple - and franky, bespoke - design is going to be more robust. That is true even in if extensibility is never sought or even expressly forbidden, as shown above. |
|
Concerning repetition, the registration for the header has it as non-repeatable. (I assume that this will make no difference in most implementations, but just flagging for the few cases in which it'll help.) Concerning extensibility, when I started working on this I went and grabbed every server-side DNT processor I could find. (It wasn't that many, so I'm not claiming any kind of statistical relevance here, just directional indication.) For reference, DNT can be Concerning |
|
This issue was raised in 2020; AIUI there's been enough pre-standards deployment to make what would have been a reasonable change then unwise now. What I'd suggest is that if SF is going to be used, a new field name be defined. You might only consider that if other breaking changes are made -- syntactically or semantically. |
Indeed, but there was a total a lack of implementer interest at the time. Also, the fact that @hober would get it wrong made me think that it couldn't be mature tech :) Could this be a candidate for retrofitting? |
It's not syntactically a SF, so it'd need to be mapped. That's basically just creating a new header with the same semantics but different syntax. |
|
My .02 - close this, but keep it in mind if you find that you need to create a new, incompatible version of the header. |
|
Thanks @mnot ! I think this is a candidate to be closed. Does anyone strongly feel otherwise? If not, I'll close by the end of this month. |
|
I continue to think this is important to address before this is more widely adopted. This gives us some extensibility and also overall consistency with all new headers we add to the web platform. |
|
If this is going to be re-opened, I'd suggest we also consider whether the |
|
That should probably be a separate issue as that raises the question of what should happen when a website sets it. |
SebastianZimmeck
added
the
agenda+
SebastianZimmeck
removed
the
agenda+
|
Given widespread GPC deployment and no further discussion here we will move forward for now without a structured header. |
|
What constitutes widespread deployment? How many browser engines are shipping an implementation? Just because there has been no further discussion doesn't invalidate the concerns raised. |
|
This has been deployed as it is now for several years and is acted upon by many sites (and this is just those that use the .well-known resource, which it optional). Changing the header now would break most of that content (I know for a fact that it would break nytimes.com for instance) in a way that would turn those sites from complying with the law to breaking the law. |
Filed on behalf of @yoavweiss: "Use https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html#boolean"
The text was updated successfully, but these errors were encountered: