TAO opt-in: pros, cons, and implementation

[igrigorik]

As a thought experiment, let's say we defined Content Size to require mandatory TAO opt-in:

• The (iframe) document must provide TAO opt-in: this exposes the size of the document to the embedder.
• All resources within the embedded context must provide TAO opt-in: this exposes the size of each resource to the nested context. The iframe'd document by providing the TAO opt-in to the embedder then also exposes it's subresource total.
  • Resources that don't provide the TAO opt-in are blocked by the user agent.

The above model means we can expose exact byte counts. The embedder wouldn't see the specific resources fetched by the nested context, but it would know their total size.

The downside to the above is that it requires explicit opt-in by the emdedded content.. which may or may not be practical for some of the use cases we'd like this be used in.

[yoavweiss]

I think that is the best route forward, assuming we can pull it off and convince most third parties that they must add TAO headers.

I guess the biggest question here is if there are third party use-cases that would violate user privacy by enabling TAO (e.g. widgets that change resources fetched based on user login/preference/unread messages, etc).

[csharrison]

I'm concerned this would be extremely difficult in practice. Do we have a sense for a minimum number of third parties which we would need to add TAO header to enable even a single ad to render correctly (assuming we block resources without TAO)? My hunch is that it would be a big effort.

[jkarlin]

I agree with csharrison@. The primary use-case for size policy is to restrict third-party ads and social widgets so that publishers have more control over the user experience of their pages. If you require TAO then the publisher really doesn't have any more control than before.