This specification briefly describes an optional header used to negotiate evil things web sites can and can't do.
On the assumption that some people would rather simply bounce off a site that tries to do these things, and not waste time.
An additional header is specified for the client and the server.
The header looks like this:
Accept-Evil: aaaaaaa
or:
Require-Evil: aaaaaaa
where each character has a value and a position.
Accept-Evil:
- n - Never: Client will never accept this
- c - Conditionally: Client will conditionally accept this on a per site basis
- a - Always: Client will always accept this
Require-Evil:
- r - Required: If you do not allow this, the server will not function as intended
- a - Available: The server will offer this content if you accept it
- n - Not required: The server will not atttempt to send you this content
Positional fields:
- Advertisements
- Notifications
- Request to handle data in a way that would violate GDPR without explicit authorisation
- Provide data or integration to third-party, other than by means of a hyperlink
- Popup (including modal popup)
- Audio
- Video
For example, a normal web browser configuration would send this:
Accept-Evil: aaaaaaa
My web browser might send this:
Accept-Evil: nnccncc
That means I will never accept adverts, notifications, or popups. I may conditionally accept GDPR violations, third party integrations, audio and video.
A video hosting web site might have a Require-Evil header like this:
Require-Evil: annanar
The web site must have permission to display video. If the client allows audio on this site, that is available too. It will optionally serve advertisements if the client allows this. It will never use notifications or violate the GDPR. It will offer third party integrations if the client allows this. It will never display popups.
An evil video hosting web site might look like this:
Require-Evil: rnnanar
A correctly configured client will quickly know not to continue talking to this web site as it requires advertisements to function.