3rd-party access to client-hints causes payload bloat and confusion

[Steve51D]

Currently, 3rd parties will only be sent client hints if both:

• Accept-CH is set to request the relevant headers.
• Feature-Policy / Permissions-Policy is set to allow each 3rd party access to each specific header.

For major websites with a large web of 3rd party dependencies, this ends up being incredibly verbose and can significantly inflate the size of the response.

Is there any reason that a more succinct solution, even a re-use of existing headers such as content-security-policy, is not viable?
For example, if I've given permissions for JavaScript from www.example.com to run on my page using csp, why should I then need to separately allow access to client hints for that 3rd party?

[Steve51D]

Looking through the permissions-policy issues list, I think this may already be covered by w3c/webappsec-permissions-policy#408

[miketaylr]

For major websites with a large web of 3rd party dependencies, this ends up being incredibly verbose and can significantly inflate the size of the response.

It would be interesting to see some data on this. Do you have any examples with measurements @Steve51D?

[eeeps]

There's also WICG/client-hints-infrastructure#23

My complaint there stems from how awkward this is to explain to people. I've settled on:

"Accept-CH asks the browser to send particular hints. Permissions-Policy asks the browser to send particular hints to particular origins. It seems a bit duplicative because it is: you need to do both."