Hacker News new | ask | show | jobs
by berkes 1894 days ago
If your webserver security relies on sending a header to clients, your security is wrong.

Not saying that filing issues against weservers is a bad idea.

Just that the security angle is wrong.

For one, because Google, or chrome, could just choose to ignore that header if too many servers fly it.
1 comments
sanxiyn 1894 days ago
That's like saying not sending Content-Security-Policy when it is needed to prevent XSS is not a security bug, since Chrome can start to ignore Content-Security-Policy (which it can). That is absurd.
link
andreareina 1894 days ago
That's more like the case with the Do Not Track header being defaulted to 1 in some browsers and many (most?) sites using that as an excuse to not honor it.
link
sanxiyn 1894 days ago
I think it is a good outcome too. If people really want relevant and targeted ads, they will opt-in to no-DNT and yes-FLoC. The fact that people don't, and that websites don't honor DNT, reveal their lies and hypocrisy.
link
berkes 1892 days ago
> ... and that websites don't honor DNT...

This is the important part regarding "security". Websites choose to not honor "DNT" headers.

Clients can just as easy choose not to honor no-floc headers.

Which is why I'm saying that this is not a security-thing. If people can just choose to ignore your security-headers, they are not a security-feature. At most they are a suggestion that, when followed, make the client honor privacy concerns from servers.

link