New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Accept-CH-lifetime cache and CH header handling #729
Conversation
<li><dfn id=concept-accept-ch-cache-client-hints-list for=accept-ch-cache>client-hints list</dfn> | ||
</ul> | ||
|
||
<p>Entries must be removed after the seconds specified in the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need any extra clauses to ensure that this cache is purged when user clears site-data or similar?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mikewest what's the best way to hook this to clear-site-data and similar UI concepts (e.g. user cleared their cookies)? Looking at https://w3c.github.io/webappsec-clear-site-data/#clear-dom it seems to enumerate all the relevant things that need to be cleared? Should the ACHL cache do the same?
@@ -2897,6 +2936,19 @@ with a <i>CORS flag</i> and <i>recursive flag</i>, run these steps: | |||
<li><p><a href=https://w3c.github.io/webappsec-csp/#set-response-csp-list>Set <var>internalResponse</var>'s CSP list</a>. | |||
[[!CSP]] | |||
|
|||
<li><p>If <var>response</var>'s | |||
<a href=http://httpwg.org/http-extensions/client-hints.html#accept-ch>Accept-CH header</a> | |||
is present, process the header and add its client-hints tokens to the <a>active document</a>'s |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Restrict to HTTPS only?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah
<li><p>If <var>response</var>'s | ||
<a href=http://httpwg.org/http-extensions/client-hints.html#accept-ch-lifetime>Accept-CH-Lifetime header</a> | ||
is present, call | ||
<a for=accept-ch-cache>create a new entry</a> with <var>response</var>'s <var>origin</var>, the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto, https-only?
Superseded by whatwg/html#3774 |
This PR adds the concept of an Accept-CH cache as well as some handling for the
Accept-CH
andAccept-CH-Lifetime
headers.Tackles some of the concepts that need defining in #726
Preview | Diff