Intent To Experiment: User-Agent Client Hints GREASE Update

[Matt Reichhoff]

Contact emails

mreic...@chromium.org, mike...@chromium.org, jadek...@chromium.org

Explainer

https://github.com/WICG/ua-client-hints#user-agent-client-hints

Specification

https://wicg.github.io/ua-client-hints/#grease

Summary

We seek to align our implementation of GREASE in User Agent Client Hints with the current spec, which includes additional GREASE characters beyond the current semicolon and space, and which recommends varying the arbitrary version. This is to help prevent bad assumptions from being built on top of User-Agent strings.

This intent seeks approval to begin an experiment on stable at 1% with the m98 release. Due to a clerical error, the experiment is already running on m98 in beta. The goal is to determine whether the new spec is web compatible via a controlled experiment before we ship to stable.

Blink component

Privacy>Fingerprinting

TAG review

https://github.com/w3ctag/design-reviews/issues/640

TAG review status

In progress, but all raised issues addressed.

Risks

Interoperability and Compatibility

The prior inclusion (in 2020) of escaped ASCII 0x22 (double quote) and 0x5C (backslash) proved to be web incompatible and was rolled back. While we do not anticipate similar problems with the updated character list, we have taken (or will take) the following actions to validate this assumption:

• Pre-launch testing of the new characters against known-common sites, which will include tests against the components known to have been incompatible with the prior implementation [COMPLETED].

• Addition of an enterprise policy escape hatch [COMPLETE].

• A phased rollout along with monitoring of HTTP 4XX response rates [PROPOSED HERE].

Gecko: Non-harmful (https://mozilla.github.io/standards-positions/#ua-client-hints)

WebKit: No signal

Web developers: No signals

Other signals: N/A

Goals for experimentation

A phased rollout is desired to ensure the changes to the spec are web-compatible. To that end, we will begin with 1% of users on stable, with monitoring of HTTP response codes to ensure the change is non-breaking.

Debuggability

N/A; no change required

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

No (not on WebView or iOS)

Is this feature fully tested by web-platform-tests?

Yes

Flag name

--enable-features="GreaseUACH:updated_algorithm/true"

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1164423

Estimated milestones

We anticipate this experiment starting in M98 and running for 2 milestones, but it could extend if the data is inconclusive. We are most concerned about website tail behavior with this change, which can make data gathering slower than we’d like.

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5630916006248448

Links to previous Intent discussions

Intent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/ueudFsZzT1M

[Mike West]

LGTM to experiment with this change on a small percentage of stable in M98 and M99. Presumably you'll be keeping an eye on metrics and bug reports to roll it back in case unexpected incompatibility is discovered.

Out of curiosity, what is the new character set with which you'll be working? The spec link was fairly generic, describing a strategy rather than an algorithm.

-mike

[Matt Reichhoff]

Thanks for the response! Yes, we will be keeping an eye on metrics and bug reports.

In terms of the character set, it is defined here: https://wicg.github.io/ua-client-hints/#create-arbitrary-brands-section

It includes: 0x20 (SP), 0x28 (left parenthesis), 0x29 (right parenthesis), 0x2D (-), 0x2E (.), 0x2F (/), 0x3A (:), 0x3B (;), 0x3D (=), 0x3F (?), 0x5F (_). The prior implementation included only space (0x20) and semicolon (0x3B).

[Mike Taylor]

And in case anyone wonders: why those ones in particular? It's everything that's allowed inside an sf-string, except escaped "\" and escaped DQUOTE (because we know those make WAFs very, very sad).