Intend to extend experiment: User-Agent Reduction

399 views
Skip to first unread message

Ali Beyad

unread,
Apr 18, 2022, 5:51:22 PM4/18/22
to blink-dev

Note: please see the “Experiment Timeline” section for our extension request - the rest of the details are the same as before.


Contact emails

abe...@chromium.org, mike...@chromium.org

Original I2E

https://groups.google.com/a/chromium.org/g/blink-dev/c/R0xKm1B7qoQ/


Explainer

https://developer.chrome.com/blog/user-agent-reduction-origin-trial/ 


Specification

None, but we intend to specify the reduced UA in https://compat.spec.whatwg.org/#ua-string-section as it ships.


Summary

We want to reduce the amount of information the User Agent string exposes in HTTP requests as well as in navigator.userAgent, navigator.appVersion, and navigator.platform. The browser's brand and significant version, its desktop/mobile distinction and the platform it is running on will continue to be sent.


We would like to run an Origin Trial for sites to opt into the Reduced User-Agent (and related navigator properties) to proactively test for breakage. See below for more details.


Design Doc

https://docs.google.com/document/d/1feIxK9S7oNgT2oGGebbxE9X0O-4wTKcsP_gRaY99tq4/edit#heading=h.2navvbygwxwb 


Blink component

Blink


TAG review

https://github.com/w3ctag/design-reviews/issues/640 


TAG review status

Closed as “Satisfied with concerns” (https://github.com/w3ctag/design-reviews/issues/640


Risks: Interoperability and Compatibility

The compatibility risk is low, as we’re planning to reduce the amount of information in the UA string, rather than remove the header. Most existing UA detection code should continue to work. It is only future UA detection code that will need to move to use the UA client hints instead. In the long term, we expect this change to improve compatibility, as UA detection based on UA-CH is bound to be more reliable than the current status quo. We hope this Origin Trial will help us flesh out site compat issues we can’t predict a priori.


As for interoperability, other vendors are on board with UA information reduction, but not necessarily with the UA Client Hints mechanism that is supposed to replace it. That can create a tricky situation, where developers would need to rely on the User-Agent string for some browsers and on UA-CH for others.


Edge: Positive signals (https://twitter.com/_scottlow/status/1206831008261132289)

Firefox: Public support for reducing UA string information - “freezing the User Agent string without any client hints—seems worth-prototyping” (from https://github.com/mozilla/standards-positions/issues/202#issuecomment-558294095)

Safari: Shipped to some extent. Safari has attempted to completely freeze the UA string in the past, but somewhat reverted that decision. Nowadays, their UA string seems mostly frozen, with updates only to the browser version.

Web developers: Mixed signals. Some positive comments on Twitter, blink-dev, etc., as well as some negative sentiment.


Experiment Summary

This experiment is going to be a bit different from a normal Origin Trial; the goal is less about gathering information on the design of a new API than it is about enabling developers and administrators to test and ensure compatibility with our proposed changes. This change represents a large compat challenge with very subtle pitfalls and vast dependencies, it’s incredibly important we give developers any opportunity to test systems at every level.


As for engaging with the trial itself, there will be two components controlled by the same Origin Trial: 

  1. Reducing the information in the associated JS getters, if the Origin Trial is enabled.

  2. A client hint that gets set when the Origin Trial is enabled, where the client hint indicates to the origin that the User-Agent request header contains the reduced value. Because of the experimental nature of this client hint, a valid Origin Trial token must be sent in the response header by the origin for the client hint to take effect or be stored (in order to prevent platform burn-in for this temporary client hint token).


During the process of conducting the Origin Trial, we may find that we need to request an exception to the per-site (and possibly global) limits imposed by Origin Trials. In practice, Origin Trials rarely exceed their quota limits, but if necessary, there is time between when the limits have been exceeded and the Origin Trial is turned off, where we can work with the users on reducing their usage and/or lifting the limits.


Please see the design document describing the experiment for more information.


Experiment Goals

The goal of this trial is to enable developers to test how reducing the User-Agent request header and the related navigator getters will affect their systems and make sure they have all of the tools they need for an effective migration to User Agent Client Hints. We hope that by providing sufficient time to test and provide feedback we can validate our current plans for UA Reduction and safely roll them out to the web at large.


We will be relying heavily on user and developer feedback to understand where breakage occurs, or where use cases are not accounted for. We will create a GitHub repository as well as a public mailing list for gathering feedback. When the OT is ready, we plan to publish developer guidance on how to enroll and provide feedback.


Experiment Timeline

M101-M103


Reason this experiment is being extended

We have a partner that would like to continue testing the fully reduced UA string. Due to an issue in their experiment design, they weren't able to launch the OT and collect any data. We would like to extend the OT by 3 milestones, if possible. We believe the risks for burn-in don't apply, because this OT just enables what we hope will be the default behavior in the future.


We are encouraged by the fact that no other OT participants provided negative feedback, or reports of site breakage, so we feel like this extension is pretty safe.


Draft spec: https://compat.spec.whatwg.org/#ua-string-section

TAG review: Closed as “Satisfied with concerns”

bit.ly/blink-signals requests: Firefox and Safari have already shipped UA reduction in varying forms.

Outreach for feedback from the spec community: N/A

WPT tests: There are WPTs covering general UA string behavior but nothing specific to UA reduction yet (until the various phases land in the stable channel).


Experiment Risks

Despite the proposed changes being net-positive in terms of privacy, there are some compat risks, as many sites have come to rely on the shape of the User-Agent header and related JS interfaces. Site breakage can take many forms, both obvious and non-obvious. However, since sites are in control of the Origin-Trial and Accept-CH headers, a site can quickly opt out of the experiment when breakage is encountered.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

No (All but WebView)


Is this feature fully tested by web-platform-tests?

Not yet.


Flag name

#reduce-user-agent


Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=955620

https://bugs.chromium.org/p/chromium/issues/detail?id=1222742


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5704553745874944


Chris Harrelson

unread,
Apr 22, 2022, 12:04:31 PM4/22/22
to Ali Beyad, blink-dev
LGTM

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BWdJ_4Qek62u8_g8iQzAG%3Dxuvz-%2BFaMMEfqW0Y92PFXgMbAQw%40mail.gmail.com.

Jerilyn D.

unread,
Apr 26, 2022, 12:07:26 PM4/26/22
to blink-dev, abe...@chromium.org
Hello,

I just want to get confirmation for the following:
1) Going forward, the User-Agent http header will continue to return information but just reduced information. This http header will not be dropped or suddenly return empty string or null data in the future.
2) If we want more information, that is when we will need to use the new user-agent client hints http headers
3) Going forward, the navigator.useragent js api will continue to return information but just reduced information. It will not be dropped or suddenly return empty string or null data in the future.
4) Will the enterprise policy to disable user-agent reduction feature continue to work or will this eventually not be honored in future chrome versions (and which future chrome version) ?

Thanks!

Ali Beyad

unread,
Apr 26, 2022, 12:11:17 PM4/26/22
to Jerilyn D., blink-dev
On Mon, Apr 25, 2022 at 9:14 PM Jerilyn D. <d.je...@gmail.com> wrote:
Hello,

I just want to get confirmation for the following:
1) Going forward, the User-Agent http header will continue to return information but just reduced information. This http header will not be dropped or suddenly return empty string or null data in the future.

That's correct
 
2) If we want more information, that is when we will need to use the new user-agent client hints http headers

That's correct
 
3) Going forward, the navigator.useragent js api will continue to return information but just reduced information. It will not be dropped or suddenly return empty string or null data in the future.

That's correct
 
4) Will the enterprise policy to disable user-agent reduction feature continue to work or will this eventually not be honored in future chrome versions (and which future chrome version) ?

For now, we don't have a termination date for the enterprise policy, so you can expect it to work for the foreseeable future.  If we did decide to end the enterprise policy of disabling UA reduction, we would give enterprises plenty of notice and runway, but for now we have no plans to remove this enterprise policy.

Jerilyn D.

unread,
Apr 26, 2022, 1:32:54 PM4/26/22
to blink-dev, abe...@chromium.org
Thanks!

Jerilyn D.

unread,
Apr 26, 2022, 5:04:06 PM4/26/22
to blink-dev, abe...@chromium.org, blink-dev
We are testing this reduction change in Chrome 100 using experimental flag settings as:

#full-user-agent : Disabled

#reduce-user-agent: Enabled

This is the correct way to test right now ? However this experimental feature will not kick in when we run Chrome (in desktop) in mobile emulation mode, right ?


On Tuesday, April 26, 2022 at 9:11:17 AM UTC-7 abe...@chromium.org wrote:

Ali Beyad

unread,
Apr 27, 2022, 9:43:36 AM4/27/22
to Jerilyn D., blink-dev
On Tue, Apr 26, 2022 at 4:58 PM Jerilyn D. <d.je...@gmail.com> wrote:
We are testing this reduction change in Chrome 100 using experimental flag settings as:

#full-user-agent : Disabled

#reduce-user-agent: Enabled

This is the correct way to test right now ? However this experimental feature will not kick in when we run Chrome (in desktop) in mobile emulation mode, right ?

Yes, there are two ways to test, one is by the origin trial, if you are a site maintainer that wants this behavior applied to some portion of your traffic.

If you are going for one-off testing, then yes setting the chrome://flags is the way to go.  You don't need to set #full-user-agent, keep that the default.  All you need to do is set chrome://flags/#reduce-user-agent to Enabled.

Anything that overrides the UA string will result in these flags or origin trials not taking effect.

Ronan Cremin

unread,
May 4, 2022, 11:31:23 AM5/4/22
to blink-dev, abe...@chromium.org, blink-dev, Jerilyn D.
> In the long term, we expect this change to improve compatibility, as UA detection based on UA-CH is bound to be more reliable than the current status quo.

Data so far suggests that this is not in fact the case due to model name collisions e.g. X1, A1 etc. See https://github.com/WICG/ua-client-hints/issues/69

Ali Beyad

unread,
May 5, 2022, 10:49:44 AM5/5/22
to Ronan Cremin, blink-dev, Jerilyn D.
On Wed, May 4, 2022 at 9:53 AM Ronan Cremin <ronan....@gmail.com> wrote:
> In the long term, we expect this change to improve compatibility, as UA detection based on UA-CH is bound to be more reliable than the current status quo.

Data so far suggests that this is not in fact the case due to model name collisions e.g. X1, A1 etc. See https://github.com/WICG/ua-client-hints/issues/69

I responded on the Github issue, but as Yoav pointed out, Sec-CH-UA-Model does sometimes contain the brand name.  In the cases where it doesn't, where you mentioned it can be inferred from other parts of the UA string, you could request the corresponding client hints to infer the brand.
Reply all
Reply to author
Forward
0 new messages