This is about giving news sources the ability to permanently change their informant parameters. It includes handling permanent HTTP redirections.
The threat is that news sources may exploit it to give each client unique redirection parameters, so if we changed the old ones in the database to the new redirection, it can be used as cookies to track users.
Next are proposed options:
- Handling permanent redirections as temporary redirections
- Do the redirection in every fetch without modifying the original informant parameters in the database.
- Legit permanent redirections will suffer from multiple round trips at every fetch, wasting resources.
- Restrict it to whitelisted redirections
HTTP to HTTPS redirection is the only safe one? (as we have more, it will lead to more unique combinations)
- Prompt the user for optional migration to the new informant parameters.
- Do no.2 automatically while having no.3 as a fallback for non-whitelisted redirections.
This is about giving news sources the ability to permanently change their informant parameters. It includes handling permanent HTTP redirections.
The threat is that news sources may exploit it to give each client unique redirection parameters, so if we changed the old ones in the database to the new redirection, it can be used as cookies to track users.
Next are proposed options:
HTTP to HTTPSredirection is the only safe one? (as we have more, it will lead to more unique combinations)