Intent to Ship: Sec-CH-UA-Full-Version-List user-agent client hint

184 views
Skip to first unread message

Victor Tan

unread,
Nov 22, 2021, 11:39:47 AM11/22/21
to blin...@chromium.org

Contact emails

vict...@chromium.org, mike...@chromium.org, jadek...@chromium.org


Specification

https://wicg.github.io/ua-client-hints/#sec-ch-ua-full-version-list


Summary

The Sec-CH-UA-Full-Version-List request header field gives a server information about the full version for each brand in its brands list.


Blink component

Privacy>Fingerprinting


Motivation

As raised in UA-CH Issue 196, Sec-CH-UA-Full-Version can be considered too tightly bound to the  primary brand in the brand list, especially for embedders. In order to prevent classes of bugs where a site might think the fictional “Hamburger” browser is not up to date (because its version scheme is different, and lower than Chromium’s), we propose to expose the full version of each brand in the brand list, by requesting this new client hint.

Here’s what that would look like:

Sec-CH-UA-Full-Version-List: “Hamburger”; v="92.0.902.73", "Chromium"; v="92.0.4515.131", "?Not:A Browser"; v="3.1.2.0"

Eventually, it will make sense to deprecate and remove Sec-CH-UA-Full-Version (assuming usage allows us to do so). But we do not intend to do that until we ship its replacement.


Initial public proposal

https://github.com/WICG/ua-client-hints/issues/196


TAG review

https://github.com/w3ctag/design-reviews/issues/640


TAG review status

Pending (there’s a pre-existing review, and this hint came up in the review process as feedback from other browsers, so the TAG is aware of it).


Risks

Interoperability and Compatibility

This is a new hint, so it should not create compatibility issues.

  Edge: This hint was added to solve a bug (maybe a feature request?) by Edge folks.

Gecko: Non-harmful (https://mozilla.github.io/standards-positions/#ua-client-hints)

WebKit: Requested through email

Web developers: No signals

Debuggability

No special DevTools support needed. It should just work™.


Is this feature fully tested by web-platform-tests?

Yes. https://chromium-review.googlesource.com/c/chromium/src/+/3256910 


Flag name

UserAgentClientHintFullVersionList


Requires code in //chrome?

False


Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1249246


Launch bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1260418


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5703317813460992


Victor Tan

unread,
Nov 23, 2021, 9:49:58 AM11/23/21
to blink-dev, Victor Tan, Yoav Weiss, Aaron Tagliaboschi, Ali Beyad
Hi,
Could you also review and ship this in blink-dev? Thanks!

Bests,
Victor

Yoav Weiss

unread,
Nov 23, 2021, 11:32:33 AM11/23/21
to Victor Tan, blin...@chromium.org
LGTM1

Thanks for addressing feedback from other vendors on `Sec-CH-Full-Version`'s design!

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJh4P7FdCmHAA-8b1CH_So%3D2Fur2dZO8SKNetWmEetQ1KcP9_A%40mail.gmail.com.

Mike West

unread,
Nov 24, 2021, 8:50:42 AM11/24/21
to Yoav Weiss, Victor Tan, blin...@chromium.org

Chris Harrelson

unread,
Nov 24, 2021, 11:26:34 AM11/24/21
to Mike West, Yoav Weiss, Victor Tan, blin...@chromium.org
Reply all
Reply to author
Forward
0 new messages