idnits 2.17.1
draft-ietf-httpbis-client-hints-15.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The abstract seems to contain references ([2], [3], [1]), which it
shouldn't. Please replace those with straight textual mentions of the
documents in question.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (July 3, 2020) is 1385 days in the past. Is this
intentional?
Checking references for intended status: Experimental
----------------------------------------------------------------------------
-- Looks like a reference, but probably isn't: '1' on line 508
-- Looks like a reference, but probably isn't: '2' on line 510
-- Looks like a reference, but probably isn't: '3' on line 512
-- Looks like a reference, but probably isn't: '4' on line 514
** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110)
** Obsolete normative reference: RFC 7234 (Obsoleted by RFC 9111)
Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 5 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 HTTP Working Group I. Grigorik
3 Internet-Draft Y. Weiss
4 Intended status: Experimental Google
5 Expires: January 4, 2021 July 3, 2020
7 HTTP Client Hints
8 draft-ietf-httpbis-client-hints-15
10 Abstract
12 HTTP defines proactive content negotiation to allow servers to select
13 the appropriate response for a given request, based upon the user
14 agent's characteristics, as expressed in request headers. In
15 practice, user agents are often unwilling to send those request
16 headers, because it is not clear whether they will be used, and
17 sending them impacts both performance and privacy.
19 This document defines an Accept-CH response header that servers can
20 use to advertise their use of request headers for proactive content
21 negotiation, along with a set of guidelines for the creation of such
22 headers, colloquially known as "Client Hints."
24 Note to Readers
26 Discussion of this draft takes place on the HTTP working group
27 mailing list (ietf-http-wg@w3.org), which is archived at
28 https://lists.w3.org/Archives/Public/ietf-http-wg/ [1].
30 Working Group information can be found at http://httpwg.github.io/
31 [2]; source code and issues list for this draft can be found at
32 https://github.com/httpwg/http-extensions/labels/client-hints [3].
34 Status of This Memo
36 This Internet-Draft is submitted in full conformance with the
37 provisions of BCP 78 and BCP 79.
39 Internet-Drafts are working documents of the Internet Engineering
40 Task Force (IETF). Note that other groups may also distribute
41 working documents as Internet-Drafts. The list of current Internet-
42 Drafts is at https://datatracker.ietf.org/drafts/current/.
44 Internet-Drafts are draft documents valid for a maximum of six months
45 and may be updated, replaced, or obsoleted by other documents at any
46 time. It is inappropriate to use Internet-Drafts as reference
47 material or to cite them other than as "work in progress."
48 This Internet-Draft will expire on January 4, 2021.
50 Copyright Notice
52 Copyright (c) 2020 IETF Trust and the persons identified as the
53 document authors. All rights reserved.
55 This document is subject to BCP 78 and the IETF Trust's Legal
56 Provisions Relating to IETF Documents
57 (https://trustee.ietf.org/license-info) in effect on the date of
58 publication of this document. Please review these documents
59 carefully, as they describe your rights and restrictions with respect
60 to this document. Code Components extracted from this document must
61 include Simplified BSD License text as described in Section 4.e of
62 the Trust Legal Provisions and are provided without warranty as
63 described in the Simplified BSD License.
65 Table of Contents
67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
68 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 4
69 2. Client Hint Request Header Fields . . . . . . . . . . . . . . 4
70 2.1. Sending Client Hints . . . . . . . . . . . . . . . . . . 4
71 2.2. Server Processing of Client Hints . . . . . . . . . . . . 5
72 3. Advertising Server Support . . . . . . . . . . . . . . . . . 5
73 3.1. The Accept-CH Response Header Field . . . . . . . . . . . 5
74 3.2. Interaction with Caches . . . . . . . . . . . . . . . . . 6
75 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
76 4.1. Information Exposure . . . . . . . . . . . . . . . . . . 7
77 4.2. Deployment and Security Risks . . . . . . . . . . . . . . 9
78 4.3. Abuse Detection . . . . . . . . . . . . . . . . . . . . . 9
79 5. Cost of Sending Hints . . . . . . . . . . . . . . . . . . . . 9
80 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
81 6.1. Accept-CH . . . . . . . . . . . . . . . . . . . . . . . . 10
82 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
83 7.1. Normative References . . . . . . . . . . . . . . . . . . 10
84 7.2. Informative References . . . . . . . . . . . . . . . . . 11
85 7.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 11
86 Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 11
87 A.1. Since -00 . . . . . . . . . . . . . . . . . . . . . . . . 11
88 A.2. Since -01 . . . . . . . . . . . . . . . . . . . . . . . . 12
89 A.3. Since -02 . . . . . . . . . . . . . . . . . . . . . . . . 12
90 A.4. Since -03 . . . . . . . . . . . . . . . . . . . . . . . . 12
91 A.5. Since -04 . . . . . . . . . . . . . . . . . . . . . . . . 12
92 A.6. Since -05 . . . . . . . . . . . . . . . . . . . . . . . . 12
93 A.7. Since -06 . . . . . . . . . . . . . . . . . . . . . . . . 12
94 A.8. Since -07 . . . . . . . . . . . . . . . . . . . . . . . . 12
95 A.9. Since -08 . . . . . . . . . . . . . . . . . . . . . . . . 13
96 A.10. Since -09 . . . . . . . . . . . . . . . . . . . . . . . . 13
97 A.11. Since -10 . . . . . . . . . . . . . . . . . . . . . . . . 13
98 A.12. Since -11 . . . . . . . . . . . . . . . . . . . . . . . . 13
99 A.13. Since -12 . . . . . . . . . . . . . . . . . . . . . . . . 13
100 A.14. Since -13 . . . . . . . . . . . . . . . . . . . . . . . . 13
101 A.15. Since -14 . . . . . . . . . . . . . . . . . . . . . . . . 13
102 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 13
103 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
105 1. Introduction
107 There are thousands of different devices accessing the web, each with
108 different device capabilities and preference information. These
109 device capabilities include hardware and software characteristics, as
110 well as dynamic user and user agent preferences. Historically,
111 applications that wanted the server to optimize content delivery and
112 user experience based on such capabilities had to rely on passive
113 identification (e.g., by matching the User-Agent header field
114 (Section 5.5.3 of [RFC7231]) against an established database of user
115 agent signatures), use HTTP cookies [RFC6265] and URL parameters, or
116 use some combination of these and similar mechanisms to enable ad hoc
117 content negotiation.
119 Such techniques are expensive to set up and maintain, and are not
120 portable across both applications and servers. They also make it
121 hard for both user agent and server to understand which data are
122 required and is in use during the negotiation:
124 o User agent detection cannot reliably identify all static
125 variables, cannot infer dynamic user agent preferences, requires
126 an external device database, is not cache friendly, and is reliant
127 on a passive fingerprinting surface.
128 o Cookie-based approaches are not portable across applications and
129 servers, impose additional client-side latency by requiring
130 JavaScript execution, and are not cache friendly.
131 o URL parameters, similar to cookie-based approaches, suffer from
132 lack of portability, and are hard to deploy due to a requirement
133 to encode content negotiation data inside of the URL of each
134 resource.
136 Proactive content negotiation (Section 3.4.1 of [RFC7231]) offers an
137 alternative approach; user agents use specified, well-defined request
138 headers to advertise their capabilities and characteristics, so that
139 servers can select (or formulate) an appropriate response based on
140 those request headers (or on other, implicit characteristics).
142 However, traditional proactive content negotiation techniques often
143 mean that user agents send these request headers prolifically. This
144 causes performance concerns (because it creates "bloat" in requests),
145 as well as privacy issues; passively providing such information
146 allows servers to silently fingerprint the user.
148 This document defines Client Hints, a framework that enables servers
149 to opt-in to specific proactive content negotiation features,
150 adapting their content accordingly, as well as guidelines for content
151 negotiation mechanisms that use the framework. This document also
152 defines a new response header, Accept-CH, that allows an origin
153 server to explicitly ask that user agents send these headers in
154 requests.
156 Client Hints mitigate performance concerns by assuring that user
157 agents will only send the request headers when they're actually going
158 to be used, and privacy concerns of passive fingerprinting by
159 requiring explicit opt-in and disclosure of required headers by the
160 server through the use of the Accept-CH response header, turning
161 passive fingerprinting vectors into active ones.
163 The document does not define specific usages of Client Hints. Such
164 usages need to be defined in their respective specifications.
166 One example of such usage is the User Agent Client Hints [UA-CH].
168 1.1. Notational Conventions
170 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
171 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
172 "OPTIONAL" in this document are to be interpreted as described in BCP
173 14 [RFC2119] [RFC8174] when, and only when, they appear in all
174 capitals, as shown here.
176 This document uses the Augmented Backus-Naur Form (ABNF) notation of
177 [RFC5234].
179 2. Client Hint Request Header Fields
181 A Client Hint request header field is a HTTP header field that is
182 used by HTTP user agents to indicate data that can be used by the
183 server to select an appropriate response. Each one conveys user
184 agent preferences that the server can use to adapt and optimize the
185 response.
187 2.1. Sending Client Hints
189 User agents choose what Client Hints to send in a request based on
190 their default settings, user configuration, and server preferences
191 expressed in "Accept-CH". The user agent and server can use an opt-
192 in mechanism outlined below to negotiate which header fields need to
193 be sent to allow for efficient content adaption, and optionally use
194 additional mechanisms (e.g., as outlined in
195 [CLIENT-HINTS-INFRASTRUCTURE]) to negotiate delegation policies that
196 control access of third parties to those same header fields. User
197 agents SHOULD require an opt-in to send any hints that are not listed
198 in the low-entropy hint table at [CLIENT-HINTS-INFRASTRUCTURE].
200 Implementers need to be aware of the fingerprinting implications when
201 implementing support for Client Hints, and follow the considerations
202 outlined in the Security Considerations (Section 4) section of this
203 document.
205 2.2. Server Processing of Client Hints
207 When presented with a request that contains one or more Client Hint
208 header fields, servers can optimize the response based upon the
209 information in them. When doing so, and if the resource is
210 cacheable, the server MUST also generate a Vary response header field
211 (Section 7.1.4 of [RFC7231]) to indicate which hints can affect the
212 selected response and whether the selected response is appropriate
213 for a later request.
215 Servers MUST ignore hints they do not understand nor support. There
216 is no mechanism for servers to indicate to user agents that hints
217 were ignored.
219 Furthermore, the server can generate additional response header
220 fields (as specified by the hint or hints in use) that convey related
221 values to aid client processing.
223 3. Advertising Server Support
225 Servers can advertise support for Client Hints using the mechanism
226 described below.
228 3.1. The Accept-CH Response Header Field
230 The Accept-CH response header field indicates server support for the
231 hints indicated in its value. Servers wishing to receive user agent
232 information through Client Hints SHOULD add Accept-CH response header
233 to their responses as early as possible.
235 Accept-CH is a Structured Header [I-D.ietf-httpbis-header-structure].
236 Its value MUST be an sf-list (Section 3.1 of
237 [I-D.ietf-httpbis-header-structure]) whose members are tokens
238 (Section 3.3.4 of [I-D.ietf-httpbis-header-structure]). Its ABNF is:
240 Accept-CH = sf-list
242 For example:
244 Accept-CH: Sec-CH-Example, Sec-CH-Example-2
246 When a user agent receives an HTTP response containing "Accept-CH",
247 that indicates that the origin opts-in to receive the indicated
248 request header fields for subsequent same-origin requests. The opt-
249 in MUST be ignored if delivered over non-secure transport (using a
250 scheme different from HTTPS). It SHOULD be persisted and bound to
251 the origin to enable delivery of Client Hints on subsequent requests
252 to the server's origin, for the duration of the user's session (as
253 defined by the user agent). An opt-in overrides previous persisted
254 opt-in values and SHOULD be persisted in its stead.
256 Based on the Accept-CH example above, which is received in response
257 to a user agent navigating to "https://site.example", and delivered
258 over a secure transport, persisted Accept-CH preferences will be
259 bound to "https://site.example". It will then use it for navigations
260 to e.g., "https://site.example/foobar.html", but not to e.g.,
261 "https://foobar.site.example/". It will similarly use the preference
262 for any same-origin resource requests (e.g., to
263 "https://site.example/image.jpg") initiated by the page constructed
264 from the navigation's response, but not to cross-origin resource
265 requests (e.g., "https://thirdparty.example/resource.js"). This
266 preference will not extend to resource requests initiated to
267 "https://site.example" from other origins (e.g., from navigations to
268 "https://other.example/").
270 3.2. Interaction with Caches
272 When selecting a response based on one or more Client Hints, and if
273 the resource is cacheable, the server needs to generate a Vary
274 response header field ([RFC7234]) to indicate which hints can affect
275 the selected response and whether the selected response is
276 appropriate for a later request.
278 Vary: Sec-CH-Example
280 The above example indicates that the cache key needs to include the
281 Sec-CH-Example header field.
283 Vary: Sec-CH-Example, Sec-CH-Example-2
285 The above example indicates that the cache key needs to include the
286 Sec-CH-Example and Sec-CH-Example-2 header fields.
288 4. Security Considerations
290 4.1. Information Exposure
292 Request header fields used in features relying on this document
293 expose information about the user's environment to enable privacy-
294 preserving proactive content negotiation, and avoid exposing passive
295 fingerprinting vectors. However, implementers need to bear in mind
296 that in the worst case, uncontrolled and unmonitored active
297 fingerprinting is not better than passive fingerprinting. In order
298 to provide user privacy benefits, user agents need to apply further
299 policies that prevent abuse of the information exposed by features
300 using Client Hints.
302 The information exposed by features might reveal new information
303 about the user and implementers ought to consider the following
304 considerations, recommendations, and best practices.
306 The underlying assumption is that exposing information about the user
307 as a request header is equivalent (from a security perspective) to
308 exposing this information by other means. (For example, if the
309 request's origin can access that information using JavaScript APIs,
310 and transmit it to its servers).
312 Because Client Hints is an explicit opt-in mechanism, that means that
313 servers that want access to information about the user's environment
314 need to actively ask for it, enabling clients and privacy researchers
315 to keep track of which origins collect that data, and potentially act
316 upon it. The header-based opt-in means that removal of passive
317 fingerprinting vectors is possible, such as the User-Agent string
318 (enabling active access to that information through User-Agent Client
319 Hints ([UA-CH]) or otherwise expose information already available
320 through script (e.g., the Save-Data Client Hint [4]), without
321 increasing the passive fingerprinting surface. User agents
322 supporting Client Hints features which send certain information to
323 opted-in servers SHOULD avoid sending the equivalent information
324 passively.
326 Therefore, features relying on this document to define Client Hint
327 headers MUST NOT provide new information that is otherwise not made
328 available to the application by the user agent, such as existing
329 request headers, HTML, CSS, or JavaScript.
331 Such features need to take into account the following aspects of the
332 information exposed:
334 o Entropy - Exposing highly granular data can be used to help
335 identify users across multiple requests to different origins.
337 Reducing the set of header field values that can be expressed, or
338 restricting them to an enumerated range where the advertised value
339 is close to but is not an exact representation of the current
340 value, can improve privacy and reduce risk of linkability by
341 ensuring that the same value is sent by multiple users.
342 o Sensitivity - The feature SHOULD NOT expose user-sensitive
343 information. To that end, information available to the
344 application, but gated behind specific user actions (e.g., a
345 permission prompt or user activation) SHOULD NOT be exposed as a
346 Client Hint.
347 o Change over time - The feature SHOULD NOT expose user information
348 that changes over time, unless the state change itself is also
349 exposed (e.g., through JavaScript callbacks).
351 Different features will be positioned in different points in the
352 space between low-entropy, non-sensitive and static information
353 (e.g., user agent information), and high-entropy, sensitive and
354 dynamic information (e.g., geolocation). User agents need to
355 consider the value provided by a particular feature vs these
356 considerations, and may wish to have different policies regarding
357 that tradeoff on a per-feature or other fine-grained basis.
359 Implementers ought to consider both user- and server- controlled
360 mechanisms and policies to control which Client Hints header fields
361 are advertised:
363 o Implementers SHOULD restrict delivery of some or all Client Hints
364 header fields to the opt-in origin only, unless the opt-in origin
365 has explicitly delegated permission to another origin to request
366 Client Hints header fields.
367 o Implementers considering providing user choice mechanisms that
368 allow users to balance privacy concerns against bandwidth
369 limitations need to also consider that explaining to users the
370 privacy implications involved, such as the risks of passive
371 fingerprinting, may be challenging or even impractical.
372 o Implementations specific to certain use cases or threat models MAY
373 avoid transmitting some or all of Client Hints header fields. For
374 example, avoid transmission of header fields that can carry higher
375 risks of linkability.
377 User agents MUST clear persisted opt-in preferences when any one of
378 site data, browsing history, browsing cache, cookies, or similar, are
379 cleared.
381 4.2. Deployment and Security Risks
383 Deployment of new request headers requires several considerations:
385 o Potential conflicts due to existing use of header field name
386 o Properties of the data communicated in header field value
388 Authors of new Client Hints are advised to carefully consider whether
389 they need to be able to be added by client-side content (e.g.,
390 scripts), or whether they need to be exclusively set by the user
391 agent. In the latter case, the Sec- prefix on the header field name
392 has the effect of preventing scripts and other application content
393 from setting them in user agents. Using the "Sec-" prefix signals to
394 servers that the user agent - and not application content - generated
395 the values. See [FETCH] for more information.
397 By convention, request headers that are Client Hints are encouraged
398 to use a CH- prefix, to make them easier to identify as using this
399 framework; for example, CH-Foo or, with a "Sec-" prefix, Sec-CH-Foo.
400 Doing so makes them easier to identify programmatically (e.g., for
401 stripping unrecognised hints from requests by privacy filters).
403 A Client Hints request header negotiated using the Accept-CH opt-in
404 mechanism MUST have a field name that matches sf-token (Section 3.3.4
405 of [I-D.ietf-httpbis-header-structure]).
407 4.3. Abuse Detection
409 A user agent that tracks access to active fingerprinting information
410 SHOULD consider emission of Client Hints headers similarly to the way
411 it would consider access to the equivalent API.
413 Research into abuse of Client Hints might look at how HTTP responses
414 to requests that contain Client Hints differ from those with
415 different values, and from those without. This might be used to
416 reveal which Client Hints are in use, allowing researchers to further
417 analyze that use.
419 5. Cost of Sending Hints
421 Sending Client Hints to the server incurs an increase in request byte
422 size. Some of this increase can be mitigated by HTTP header
423 compression schemes, but each new hint sent will still lead to some
424 increased bandwidth usage. Servers SHOULD take that into account
425 when opting in to receive Client Hints, and SHOULD NOT opt-in to
426 receive hints unless they are to be used for content adaptation
427 purposes.
429 Due to request byte size increase, features relying on this document
430 to define Client Hints MAY consider restricting sending those hints
431 to certain request destinations [FETCH], where they are more likely
432 to be useful.
434 6. IANA Considerations
436 Features relying on this document are expected to register added
437 request header fields in the Permanent Message Header Fields registry
438 ([RFC3864]).
440 This document defines the "Accept-CH" HTTP response header field, and
441 registers it in the same registry.
443 6.1. Accept-CH
445 o Header field name: Accept-CH
446 o Applicable protocol: HTTP
447 o Status: experimental
448 o Author/Change controller: IETF
449 o Specification document(s): Section 3.1 of this document
450 o Related information: for Client Hints
452 7. References
454 7.1. Normative References
456 [CLIENT-HINTS-INFRASTRUCTURE]
457 Weiss, Y., "Client Hints Infrastructure", n.d.,
458 .
460 [I-D.ietf-httpbis-header-structure]
461 Nottingham, M. and P. Kamp, "Structured Field Values for
462 HTTP", draft-ietf-httpbis-header-structure-19 (work in
463 progress), June 2020.
465 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
466 Requirement Levels", BCP 14, RFC 2119,
467 DOI 10.17487/RFC2119, March 1997,
468 .
470 [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
471 Procedures for Message Header Fields", BCP 90, RFC 3864,
472 DOI 10.17487/RFC3864, September 2004,
473 .
475 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
476 Specifications: ABNF", STD 68, RFC 5234,
477 DOI 10.17487/RFC5234, January 2008,
478 .
480 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
481 Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
482 DOI 10.17487/RFC7231, June 2014,
483 .
485 [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
486 Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
487 RFC 7234, DOI 10.17487/RFC7234, June 2014,
488 .
490 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
491 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
492 May 2017, .
494 7.2. Informative References
496 [FETCH] van Kesteren, A., "Fetch", n.d.,
497 .
499 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
500 DOI 10.17487/RFC6265, April 2011,
501 .
503 [UA-CH] West, M. and Y. Weiss, "User Agent Client Hints", n.d.,
504 .
506 7.3. URIs
508 [1] https://lists.w3.org/Archives/Public/ietf-http-wg/
510 [2] http://httpwg.github.io/
512 [3] https://github.com/httpwg/http-extensions/labels/client-hints
514 [4] https://wicg.github.io/savedata/#save-data-request-header-field
516 Appendix A. Changes
518 A.1. Since -00
520 o Issue 168 (make Save-Data extensible) updated ABNF.
521 o Issue 163 (CH review feedback) editorial feedback from httpwg
522 list.
524 o Issue 153 (NetInfo API citation) added normative reference.
526 A.2. Since -01
528 o Issue 200: Moved Key reference to informative.
529 o Issue 215: Extended passive fingerprinting and mitigation
530 considerations.
531 o Changed document status to experimental.
533 A.3. Since -02
535 o Issue 239: Updated reference to CR-css-values-3
536 o Issue 240: Updated reference for Network Information API
537 o Issue 241: Consistency in IANA considerations
538 o Issue 250: Clarified Accept-CH
540 A.4. Since -03
542 o Issue 284: Extended guidance for Accept-CH
543 o Issue 308: Editorial cleanup
544 o Issue 306: Define Accept-CH-Lifetime
546 A.5. Since -04
548 o Issue 361: Removed Downlink
549 o Issue 361: Moved Key to appendix, plus other editorial feedback
551 A.6. Since -05
553 o Issue 372: Scoped CH opt-in and delivery to secure transports
554 o Issue 373: Bind CH opt-in to origin
556 A.7. Since -06
558 o Issue 524: Save-Data is now defined by NetInfo spec, dropping
559 o PR 775: Removed specific features to be defined in other
560 specifications
562 A.8. Since -07
564 o Issue 761: Clarified that the defined headers are response
565 headers.
566 o Issue 730: Replaced Key reference with Variants.
567 o Issue 700: Replaced ABNF with structured headers.
568 o PR 878: Removed Accept-CH-Lifetime based on feedback at IETF 105
570 A.9. Since -08
572 o PR 985: Describe the bytesize cost of hints.
573 o PR 776: Add Sec- and CH- prefix considerations.
574 o PR 1001: Clear CH persistence when cookies are cleared.
576 A.10. Since -09
578 o PR 1064: Fix merge issues with "cost of sending hints".
580 A.11. Since -10
582 o PR 1072: LC feedback from Julian Reschke.
583 o PR 1080: Improve list style.
584 o PR 1082: Remove section mentioning Variants.
585 o PR 1097: Editorial feedback from mnot.
586 o PR 1131: Remove unused references.
587 o PR 1132: Remove nested list.
589 A.12. Since -11
591 o PR 1134: Re-insert back section.
593 A.13. Since -12
595 o PR 1160: AD review.
597 A.14. Since -13
599 o PR 1171: Genart review.
601 A.15. Since -14
603 o PR 1220: AD review.
605 Acknowledgements
607 Thanks to Mark Nottingham, Julian Reschke, Chris Bentzel, Ben
608 Greenstein, Tarun Bansal, Roy Fielding, Vasiliy Faronov, Ted Hardie,
609 Jonas Sicking, Martin Thomson, and numerous other members of the IETF
610 HTTP Working Group for invaluable help and feedback.
612 Authors' Addresses
613 Ilya Grigorik
614 Google
616 Email: ilya@igvita.com
617 URI: https://www.igvita.com/
619 Yoav Weiss
620 Google
622 Email: yoav@yoav.ws
623 URI: https://blog.yoav.ws/