Intent to Implement: `Sec-CH-UA-*` Client Hints.

863 views
Skip to first unread message

Mike West

unread,
Jan 22, 2019, 5:32:04 AM1/22/19
to blink-dev, Thiemo Nagel
# Contact emails

# Spec

# Summary
The set of `Sec-CH-UA-*` client hints aim to deprecate and replace the `User-Agent` header in order to reduce the passive fingerprinting surface we expose via HTTP requests.

# Motivation
User agents identify themselves to servers as part of each HTTP request via the `User-Agent` header. This header's value has grown in both length and complexity over the years; a complicated dance between server-side sniffing to provide the right experience for the right devices on the one hand, and client-side spoofing in order to bypass incorrect or inconvenient sniffing on the other. Chrome on iOS, for instance, currently identifies itself as:

```
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/69.0.3497.105 Mobile/15E148 Safari/605.1
```

While Chrome on Android sends something more like:

```
User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel 2 XL Build/PPP3.180510.008) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Mobile Safari/537.36
```

There's a lot of entropy wrapped up in the UA string. This makes it an important part of fingerprinting schemes of all sorts. Safari has recently taken some steps to reduce the entropy of the user agent string, initially locking it to a single value, period, and then backing off a bit due to developer feedback. The client hint mechanism seems like it might allow user agents generally to be a little more aggressive.

# Interoperability risk
At TPAC, we had an interesting discussion with folks from Brave, Safari, Edge, and others in the room. I think it's fair to say that folks are skeptical of client hints generally, but positive on the potential of using the infrastructure to reduce fingerprinting surface via these specific hints.

Edge: No public signals, but see above.
Safari: Mixed signals. See above.
Firefox: Mixed signals. Mozilla folks weren't in the room at TPAC, but we have other evidence to point to. They consider Client Hints generally to be "non-harmful", but I've gotten positive feedback on this hints in particular (https://lists.w3.org/Archives/Public/ietf-http-wg/2018OctDec/0176.html, for instance).

# Compatibility risk
Introducing this hint in itself won't affect any page, as it's purely opt-in. In the future, deprecating and freezing `User-Agent` will almost certainly have some compatibility risk that we'll need to evaluate as we go.

# Ongoing technical constraints
None.

# Will this feature be supported on all six Blink platforms
Yes.

# OWP launch tracking bug

# Link to entry on the Chrome Platform Status

# Requesting approval to ship?
No

Thanks!

-mike

er...@cloudinary.com

unread,
Jan 24, 2019, 11:39:17 AM1/24/19
to blink-dev, tna...@chromium.org
Just a note to say that the Spec URL is incorrect, above; the correct URL is: https://tools.ietf.org/html/draft-west-ua-client-hint
Reply all
Reply to author
Forward
0 new messages