Intent to Ship: Sec-CH-UA-Full-Version-List user-agent client hint

[Victor Tan]

Contact emails

vict...@chromium.org, mike...@chromium.org, jadek...@chromium.org

Specification

https://wicg.github.io/ua-client-hints/#sec-ch-ua-full-version-list

Summary

The Sec-CH-UA-Full-Version-List request header field gives a server information about the full version for each brand in its brands list.

Blink component

Privacy>Fingerprinting

Motivation

As raised in UA-CH Issue 196, Sec-CH-UA-Full-Version can be considered too tightly bound to the  primary brand in the brand list, especially for embedders. In order to prevent classes of bugs where a site might think the fictional “Hamburger” browser is not up to date (because its version scheme is different, and lower than Chromium’s), we propose to expose the full version of each brand in the brand list, by requesting this new client hint.

Here’s what that would look like:

Sec-CH-UA-Full-Version-List: “Hamburger”; v="92.0.902.73", "Chromium"; v="92.0.4515.131", "?Not:A Browser"; v="3.1.2.0"

Eventually, it will make sense to deprecate and remove Sec-CH-UA-Full-Version (assuming usage allows us to do so). But we do not intend to do that until we ship its replacement.

Initial public proposal

https://github.com/WICG/ua-client-hints/issues/196

TAG review

https://github.com/w3ctag/design-reviews/issues/640

TAG review status

Pending (there’s a pre-existing review, and this hint came up in the review process as feedback from other browsers, so the TAG is aware of it).

Risks

Interoperability and Compatibility

This is a new hint, so it should not create compatibility issues.

  Edge: This hint was added to solve a bug (maybe a feature request?) by Edge folks.

Gecko: Non-harmful (https://mozilla.github.io/standards-positions/#ua-client-hints)

WebKit: Requested through email

Web developers: No signals

Debuggability

No special DevTools support needed. It should just work™.

Is this feature fully tested by web-platform-tests?

Yes. https://chromium-review.googlesource.com/c/chromium/src/+/3256910 

Flag name

UserAgentClientHintFullVersionList

Requires code in //chrome?

False

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1249246

Launch bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1260418

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5703317813460992

[Victor Tan]

Hi,

Could you also review and ship this in blink-dev? Thanks!

Bests,

Victor

[Yoav Weiss]

LGTM1

Thanks for addressing feedback from other vendors on `Sec-CH-Full-Version`'s design!

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJh4P7FdCmHAA-8b1CH_So%3D2Fur2dZO8SKNetWmEetQ1KcP9_A%40mail.gmail.com.

[Mike West]

LGTM2.

-mike

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfWGKQx9ECJSFwAz9ejvmz36vp%2B1jrCDrYAAcFP_Pk%2BrYg%40mail.gmail.com.

[Chris Harrelson]

LGTM3

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DeY0O6EPzLqJCUjLWsCmMULg6wC7Tf6X8S-8KOQKoRfYg%40mail.gmail.com.