RupertBenWiser
commented
1 year ago I like the idea, but I think this is blocked on the discussion you've started in issue 5. The question boils down to how enforceable the attestations can be per request.
The intention behind the hold back is to prevent web authors from changing individual traffic if attestations are not available so perhaps it makes sense to first continue the discussion there before returning to this issue.
Let me know what you think!
michaelficarra
I think it would be appropriate for attestable environments to advertise this property via a low-entropy HTTP client hint. This will make it easy for web applications to deliver different experiences to visitors based on whether they will be able to take certain sensitive actions or not. It will avoid unnecessary redirects, refreshes, or replacement of content based on a runtime probe of the attestation API.
/cc @bakkot