You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jun 26, 2019. It is now read-only.
As a thought experiment, let's say we defined Content Size to require mandatory TAO opt-in:
The (iframe) document must provide TAO opt-in: this exposes the size of the document to the embedder.
All resources within the embedded context must provide TAO opt-in: this exposes the size of each resource to the nested context. The iframe'd document by providing the TAO opt-in to the embedder then also exposes it's subresource total.
Resources that don't provide the TAO opt-in are blocked by the user agent.
The above model means we can expose exact byte counts. The embedder wouldn't see the specific resources fetched by the nested context, but it would know their total size.
The downside to the above is that it requires explicit opt-in by the emdedded content.. which may or may not be practical for some of the use cases we'd like this be used in.
The text was updated successfully, but these errors were encountered:
I think that is the best route forward, assuming we can pull it off and convince most third parties that they must add TAO headers.
I guess the biggest question here is if there are third party use-cases that would violate user privacy by enabling TAO (e.g. widgets that change resources fetched based on user login/preference/unread messages, etc).
I'm concerned this would be extremely difficult in practice. Do we have a sense for a minimum number of third parties which we would need to add TAO header to enable even a single ad to render correctly (assuming we block resources without TAO)? My hunch is that it would be a big effort.
I agree with csharrison@. The primary use-case for size policy is to restrict third-party ads and social widgets so that publishers have more control over the user experience of their pages. If you require TAO then the publisher really doesn't have any more control than before.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
As a thought experiment, let's say we defined Content Size to require mandatory TAO opt-in:
The above model means we can expose exact byte counts. The embedder wouldn't see the specific resources fetched by the nested context, but it would know their total size.
The downside to the above is that it requires explicit opt-in by the emdedded content.. which may or may not be practical for some of the use cases we'd like this be used in.
The text was updated successfully, but these errors were encountered: