The academic paper behind NEL expected that users are able to opt-out from NEL but such option is not required from user agents by the draft standard

w3c / network-error-logging

Network Error Logging

https://w3c.github.io/network-error-logging/

Other

81 stars 18 forks source link

The academic paper behind NEL expected that users are able to opt-out from NEL but such option is not required from user agents by the draft standard #152

Closed polcak closed 1 year ago

polcak commented 1 year ago

The original paper behind NEL lists four security, privacy, and ethical principles. One of them is that end users can opt out of NEL. However, NEL draft standard does not list any such requirement.

Proposal requirement:

"User agents conforming to this standard MUST allow users not to send any NEL reports."

This issue is related to #136.

clelland commented 1 year ago

NEL is built on the Reporting API as a foundation, and that spec states

User agents MUST allow users to disable reporting with some reasonable amount of granularity in order to maintain the priority of constituencies espoused in [HTML-DESIGN-PRINCIPLES].

polcak commented 1 year ago

Thanks. So it is already covered. I am closing this issue as no action is required from W3C. @clelland, I copied your observation to https://bugs.chromium.org/p/chromium/issues/detail?id=1445886#c4.