Open chris-wood opened 2 years ago
At a minimum, it's not clear to me from the draft if the Client Hint will only be sent if there was already a response header from the origin indicating that it accepts this particular hint. RFC 8942 describes some of the fingerprinting issues, but it's also a little wishy-washy on whether server-side opt-in is actually required.
In web contexts, at least, server-side opt-in is governed by https://wicg.github.io/client-hints-infrastructure/; if Client Hints aren't defined as low-entropy, they do require opt-ins.
The privacy posture of the GeoHash CH is interesting. If it's always sent, then it leaks information about the user's rough location. If it's not always sent, perhaps because it's gated by user consent, then its presence (or lack thereof) contributes to the fingerprint surface of said client. It's probably worth touching on this tradeoff in the draft.