[Webkit-unassigned] [Bug 241749] Implement User-Agent Client Hints

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Jun 18 09:13:46 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=241749

Sam Sneddon [:gsnedders] <gsnedders at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |beidson at apple.com,
                   |                            |gsnedders at apple.com,
                   |                            |mjs at apple.com,
                   |                            |webkit-bug-importer at group.a
                   |                            |pple.com,
                   |                            |wilander at apple.com
          Component|DOM                         |Page Loading

--- Comment #1 from Sam Sneddon [:gsnedders] <gsnedders at apple.com> ---
> User-Agent Client Hints (https://wicg.github.io/ua-client-hints/) define a set of Client Hints that aim to provide developers with the ability to perform agent-based content negotiation when necessary, while avoiding the historical baggage and passive fingerprinting surface exposed by the venerable User-Agent header.

UACH won't decrease passive fingerprinting surface for Safari on macOS; on macOS the WebKit-provided UA string is:

"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko)"

Safari then adds a suffix to this, "Version/16.0 Safari/605.1.15" in my current case. And only the "Version/16.0" part isn't a constant there.

The iOS case does have slightly more variability giving away the device type and OS version.

> - New headers starting with "Sec-CH-UA" that provide information about the user agent to the server.

We've been fairly ambivalent about these, given in our case it doesn't lead to much decrease in passive fingerprinting ability, and we are unlikely to be more truthful in the "high entropy" hints (i.e., those which don't appear in the "low entropy hint table") when they are requested.

> - A JavaScript API (navigator.userAgentData) that makes this information accessible via JavaScript.

I don't think we've had much discussion thus far about the JS API; personally, while I see there's some level of benefit in not having to parse the UA string, it's not clear that provides much advantage is reality.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220618/aa3f81ab/attachment.htm>

More information about the webkit-unassigned mailing list