Intent to Implement: `Sec-CH-UA-*` Client Hints.

1,099 views

Skip to first unread message

Mike West

unread,

Jan 22, 2019, 5:32:04 AM1/22/19

to blink-dev, Thiemo Nagel

# Contact emails

mk...@chromium.org, tna...@chromium.org

# Spec

Explainer: https://github.com/mikewest/ua-client-hints

Spec: https://tools.ietf.org/html/draft-west-lang-client-hint
TAG review: https://github.com/w3ctag/design-reviews/issues/320

# Summary

The set of `Sec-CH-UA-*` client hints aim to deprecate and replace the `User-Agent` header in order to reduce the passive fingerprinting surface we expose via HTTP requests.

# Motivation

User agents identify themselves to servers as part of each HTTP request via the `User-Agent` header. This header's value has grown in both length and complexity over the years; a complicated dance between server-side sniffing to provide the right experience for the right devices on the one hand, and client-side spoofing in order to bypass incorrect or inconvenient sniffing on the other. Chrome on iOS, for instance, currently identifies itself as:

```

User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1

```

While Chrome on Android sends something more like:

```

User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel 2 XL Build/PPP3.180510.008) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36

```

There's a lot of entropy wrapped up in the UA string. This makes it an important part of fingerprinting schemes of all sorts. Safari has recently taken some steps to reduce the entropy of the user agent string, initially locking it to a single value, period, and then backing off a bit due to developer feedback. The client hint mechanism seems like it might allow user agents generally to be a little more aggressive.

# Interoperability risk

At TPAC, we had an interesting discussion with folks from Brave, Safari, Edge, and others in the room. I think it's fair to say that folks are skeptical of client hints generally, but positive on the potential of using the infrastructure to reduce fingerprinting surface via these specific hints.

* Edge: No public signals, but see above.

* Safari: Mixed signals. See above.

* Firefox: Mixed signals. Mozilla folks weren't in the room at TPAC, but we have other evidence to point to. They consider Client Hints generally to be "non-harmful", but I've gotten positive feedback on this hints in particular (https://lists.w3.org/Archives/Public/ietf-http-wg/2018OctDec/0176.html, for instance).

# Compatibility risk

Introducing this hint in itself won't affect any page, as it's purely opt-in. In the future, deprecating and freezing `User-Agent` will almost certainly have some compatibility risk that we'll need to evaluate as we go.

# Ongoing technical constraints

None.

# Will this feature be supported on all six Blink platforms

Yes.

# OWP launch tracking bug

https://crbug.com/924047

# Link to entry on the Chrome Platform Status

https://www.chromestatus.com/feature/5995832180473856

# Requesting approval to ship?

Thanks!

-mike

er...@cloudinary.com

unread,

Jan 24, 2019, 11:39:17 AM1/24/19

to blink-dev, tna...@chromium.org

Just a note to say that the Spec URL is incorrect, above; the correct URL is: https://tools.ietf.org/html/draft-west-ua-client-hint

Reply all

Reply to author

Forward

0 new messages