Braw mornin' TAG!

I'm requesting a TAG review of markup based Client Hints delegation for third-party content.

This allows permission policies (for only client hints) to be set on Accept-CH meta tags which include third party origins, which is useful for web developers who may not have easy access to modify HTTP headers (e.g., developers relying on embedding third-party code snippets). For example, to specify third party requests to https://foo.bar must include sec-ch-ua-platform-version you could include:

<meta name="accept-ch" content="sec-ch-ua-platform-version=( https://foo.bar)">

You may still omit the permission policy and rely on the default allowlist as follows:

<meta name="accept-ch" content="sec-ch-ua-platform-version">

Note that this is the equivalent of the following today:

<meta http-equiv="accept-ch" content="sec-ch-ua-platform-version">

The reason we’re moving from http-equiv to name is that this new syntax isn’t supported in the HTTP header accept-ch field. The syntax to delegate client hints to third parties will be unique to the named meta tag.

• Explainer: https://docs.google.com/document/d/1U3P9yvaT1NXG_qRmY3Lp6Me7M5kTnd3QrBb1yFUVNNk/edit
• Specification URL: https://wicg.github.io/client-hints-infrastructure/#accept-ch-state-algo
• Tests:
  • https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/client_hints/client_hints_browsertest.cc (see test names starting with DelegateTo).
  • WPT https://github.com/web-platform-tests/wpt/pull/32142
• Security and Privacy self-review: https://github.com/WICG/client-hints-infrastructure/blob/main/tag-security-privacy-third-party-delegation.md
• GitHub repo (if you prefer feedback filed there): https://github.com/WICG/client-hints-infrastructure
• Primary contacts (and their relationship to the specification):
  • Ari Chivukula (@arichiv - editor)
  • Yoav Weiss (@yoavweiss - TL)
  • Mike Taylor (@miketaylr - TM)
• Organization(s)/project(s) driving the specification: Chromium
• Key pieces of existing multi-stakeholder review or discussion of this specification:
  • Mozilla’s position: https://github.com/mozilla/standards-positions/issues/596
  • User-Agent Client Hints & UA Reduction TAG Review: https://github.com/w3ctag/design-reviews/issues/640
• External status/issue trackers for this specification (publicly visible, e.g. Chrome Status):
  • https://crbug.com/1219359
  • https://www.chromestatus.com/feature/5684289032159232

Further details:

• I have reviewed the TAG's Web Platform Design Principles
• The group where the work on this specification is currently being done: WICG
• The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue): W3C or WHATWG
• Major unresolved issues with or opposition to this specification: N/A
• This work is being funded by: Google

We'd prefer the TAG provide feedback as (please delete all but the desired option):

🐛 open issues in our GitHub repo for each point of feedback