diff --git a/index.bs b/index.bs index 63abf41..edf1554 100644 --- a/index.bs +++ b/index.bs @@ -224,13 +224,15 @@ following steps:
  • Run [=retrieve the client hints set=] with |settingsObject|.
  • For each [=client hints token=] |lowEntropyHint| in the registry's [=low entropy hint table=], [=set/append=] |lowEntropyHint| to |hintSet|.
  • If |request|'s [=request/client=] is not null, then for each [=client hints token=] |requestHint| in -|request|'s [=environment settings object/client hints set=], [=set/append=] |requestHint| to +|settingsObject|'s [=environment settings object/client hints set=], [=set/append=] |requestHint| to |hintSet|.
  • For each |hintName| in |hintSet|:
    1. If |request| is not a [=navigation request=] for a "document" [=request/destination=] and if the result of running [[permissions-policy#algo-should-request-be-allowed-to-use-feature]] given |request| and |hintName|'s associated feature in [[#policy-controlled-features]] returns `false`, then continue to next |hintName|. +
    2. If the user agent decides, in an [=implementation-defined=] way (see [[#privacy]]), to omit this hint then continue.
    3. Let |value| be the result of running [=find client hint value=] with |hintName|. +
    4. If the user agent decides, in an [=implementation-defined=] way (see [[#privacy]]), to modify |value| then do so.
    5. [=header list/append=] |hintName|/|value| to the [=request/header list=].
    @@ -392,7 +394,12 @@ Issue: Links for image features are broken, need to actually define that and lin Security and Privacy considerations {#privacy} =========== -See [[!RFC8942]]. + +This specification exposes information regarding the user's preferences and agent, which can be used as an active fingerprinting vector. +[=User agents=] implementing this specification need to be aware of that, and take that into consideration when deciding whether to implement specific hints, +modify their returned values for a given hint, or omit the hint entirely. + +For example, the user might have a site specific setting to override or disable specific client hints to reduce the potential for fingerprinting. Terms {#terms} ====