Hacker News new | ask | show | jobs
by sanxiyn 1893 days ago
I want to suggest another thing we can collaborate on. File bugs against Apache and nginx such that Apache and nginx emit Permission-Policy header by default. People who want FloC can opt-in, but since Pervasive Monitoring Is an Attack (RFC 7258), it is clearly severe security bugs in Apache and nginx that they don't emit this header by default.

This may need CVE.
2 comments
berkes 1893 days ago
If your webserver security relies on sending a header to clients, your security is wrong.

Not saying that filing issues against weservers is a bad idea.

Just that the security angle is wrong.

For one, because Google, or chrome, could just choose to ignore that header if too many servers fly it.

link
sanxiyn 1893 days ago
That's like saying not sending Content-Security-Policy when it is needed to prevent XSS is not a security bug, since Chrome can start to ignore Content-Security-Policy (which it can). That is absurd.
link
andreareina 1893 days ago
That's more like the case with the Do Not Track header being defaulted to 1 in some browsers and many (most?) sites using that as an excuse to not honor it.
link
sanxiyn 1893 days ago
I think it is a good outcome too. If people really want relevant and targeted ads, they will opt-in to no-DNT and yes-FLoC. The fact that people don't, and that websites don't honor DNT, reveal their lies and hypocrisy.
link
berkes 1891 days ago
> ... and that websites don't honor DNT...

This is the important part regarding "security". Websites choose to not honor "DNT" headers.

Clients can just as easy choose not to honor no-floc headers.

Which is why I'm saying that this is not a security-thing. If people can just choose to ignore your security-headers, they are not a security-feature. At most they are a suggestion that, when followed, make the client honor privacy concerns from servers.

link
ihuman 1893 days ago
Why would Apache include the Permission-Policy header when they previously chose to ignore the "Do Not Track" header?
link
dmitriid 1893 days ago
The Do Not Track ended up being used for tracking and identifying users. Support for it is now removed even from Safari, https://webkit.org/tracking-prevention/

> Removed the Do Not Track flag, which ironically was used as a fingerprinting vector, adding uniqueness to the users who had enabled it.

link
sanxiyn 1893 days ago
Because users want to? I would like to think Apache httpd project listens to their users.
link