Intent to Prototype: User-Agent Client Hints GREASE Update

166 views
Skip to first unread message

Matt Reichhoff

unread,
Oct 14, 2021, 5:45:29 PM10/14/21
to blink-dev, Mike Taylor, Brian Lefler, Jade Kessler

Contact emails

mreic...@chromium.org, b...@chromium.org, mike...@chromium.org, jadek...@chromium.org


Explainer

https://github.com/WICG/ua-client-hints#user-agent-client-hints


Specification

https://wicg.github.io/ua-client-hints/#create-arbitrary-brands-section

https://wicg.github.io/ua-client-hints/#grease


API spec

Yes


Summary

This proposal seeks to align our implementation of GREASE in User Agent Client Hints with the current spec, which includes additional GREASE characters beyond the current semicolon and space, and which recommends varying the arbitrary version.


Blink component

Privacy>Fingerprinting


Motivation

User-Agent GREASE is intended to discourage arbitrary user agent blocklists and other assumptions being built on top of the User-Agent header. A similar concept exists in TLS. This practice is currently implemented in Chromium, but today’s implementation differs slightly from the current spec. If implemented, this proposal would enable additional GREASE characters (the full list includes the following ASCII characters: 0x20 (SP), 0x28 (left parenthesis), 0x29 (right parenthesis), 0x2D (-), 0x2E (.), 0x2F (/), 0x3A (:), 0x3B (;), 0x3D (=), 0x3F (?), 0x5F (_)) and vary the arbitrary version over time. Note that the GREASE portion of the header would remain constant per major version, in accordance with the spec.


TAG review

UA-CH is currently in review


Risks

The prior inclusion of escaped ASCII 0x22 (double quote) and 0x5C (backslash) proved to be web incompatible and was rolled back. While we do not anticipate similar problems with the updated character list, we will take the following actions to validate this assumption:

  • Pre-launch testing of the new characters against known-common sites, which will include tests against the components known to have been incompatible with the prior implementation.

  • A phased rollout along with monitoring of HTTP 4XX response rates.


Interoperability and Compatibility

WebKit: No official position; mild positive signals.

Firefox: UA Client hints considered non-harmful

 

Is this feature fully tested by web-platform-tests?

We will be adding web-platform-tests to validate this functionality.


Tracking bug

https://crbug.com/1164423  


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5995832180473856

Matt Reichhoff

unread,
Oct 18, 2021, 1:52:09 PM10/18/21
to blink-dev, Mike Taylor, Brian Lefler, Jade Kessler
A small update:
(also updated below)

Reply all
Reply to author
Forward
0 new messages