Some of the information intended to be recorded and passed along in this header is user identifying (as the spec notes). Sec 5.2. states that "Systems MUST ensure that the baggage header does not leak beyond defined trust boundaries." I expect that this is made broad to cover a range of possible implementors, not just browsers.
However, in the browser case at least, its important to make the intended boundary here explicit. How should a browser implementing this spec implement it to be privacy preserving (and where should that browser pass and not pass these headers along)? With out some specificity here, its not possible to ensure the spec is privacy-respecting / preserving (as opposed to some particular possible implementation of it).
One suggestion here is to use the logic the fetch spec uses for defining a "network partition key" as the trust / privacy boundary (something maybe like "Baggage Implementations should make sure to not expose values from one storage partition to another storage partition").
The above is just one suggestion (though i think an appealing and privacy respecting one), but this immediate issue isn't specifically "define the trust/privacy boundary as X", its just "define what the privacy boundary is when implemented in a browser"
This issue is a result of the PING review requested here: https://github.com/w3cping/privacy-request/issues/94
Some of the information intended to be recorded and passed along in this header is user identifying (as the spec notes). Sec 5.2. states that "Systems MUST ensure that the baggage header does not leak beyond defined trust boundaries." I expect that this is made broad to cover a range of possible implementors, not just browsers.
However, in the browser case at least, its important to make the intended boundary here explicit. How should a browser implementing this spec implement it to be privacy preserving (and where should that browser pass and not pass these headers along)? With out some specificity here, its not possible to ensure the spec is privacy-respecting / preserving (as opposed to some particular possible implementation of it).
One suggestion here is to use the logic the fetch spec uses for defining a "network partition key" as the trust / privacy boundary (something maybe like "Baggage Implementations should make sure to not expose values from one storage partition to another storage partition").
The above is just one suggestion (though i think an appealing and privacy respecting one), but this immediate issue isn't specifically "define the trust/privacy boundary as X", its just "define what the privacy boundary is when implemented in a browser"