Thanks! In the spirit of your first point, I’m going to split your three issues into somewhat more than three things to talk about.
We could certainly split
UA-Brand. That would be consistent with splitting the rest of the detail out into distinct headers. That said, I see “Chrome 41” and “Chrome 73” as being actually different browsers in a deep way. It’s not clear to me that either the branding or version information would be meaningful on its own.
Advertising the engine for browsers whose brand is otherwise ambiguous is probably a good idea. I’m not sure I prefer it to advertising the variant as part of the branding (e.g. the status quo’s
CriOS as opposed to
Chrome). Do you have a reason for preferring the separate header?
One might be that every iOS browser will use the same engine for reasons, so advertising
WKWebView or something as the underlying engine might set expectations appropriately. One response to that is that Chrome’s
WKWebView has all sorts of things injected into it to enable APIs that WebKit doesn’t (yet?) support, so that Chrome’s WebView is actually quite distinct from Edge’s, which is yet again distinct from Firefox’s. It seems reasonable to me to reflect that in the branding.
I tend to believe the folks who have told me that it’s hopelessly naive to expect browser vendors not to lie about their nature if developers gate access to features based on user agent information advertised in the request. In my mind, the question is how to support these white lies without destroying the usefulness of the mechanism in the process.
Why is lying bad? In particular, the explainer’s GREASE-like suggestion to turn
UA into a set with intentional lies is pretty appealing. It forces developers to parse the whole
UA string, and gives smaller players the ability to talk about themselves in one part of the string, while advertising themselves as someone else for purposes of compatibility.
If there was a magic wand I could wave over the internet that made #1 above untrue, I would (perhaps developers will be overtaken by an aesthetic desire for clean UA string? And will start doing pure feature detection rather than relying on unique keys into a table of UA builds containing the genuine metadata?). I think it’s unlikely, given historical precedent.
because the idea that
UA is a client hint but somehow escapes the opt-in and gets sent anyway
A pedantic nit: it partially escapes the opt-in, insofar as the major version is exposed by default, and the minor version only after
Accept-CH: UA. But the point stands.
There’s no privacy benefit, there’s no security/fingerprinting benefit [to the opt-in]
As the explainer notes, browsers can make decisions about when to respect the site’s request. For example, browsers that categorize the world into “Boo!” and “Yay!” via some heuristic or other can deny additional detail to the former and grant it to the latter.
As the explainer doesn’t note, but ought to, the public nature of the opt-in makes data collection visible to researchers, regulators, and users who care. Rather than broadcasting entropy to every site indiscriminately, we’ll get some collective insight into the entities who actually want to collect it, and the entities with whom they choose to share that detail.
new request headers like
Sec-Metadata have not followed this pattern
The guy who wrote that spec probably had good reasons for not following the pattern. He might, for instance, have thought that the requests which are interesting from a security perspective are all third-party (e.g.
evil.com poking at a CSRF vulnerability in
bank.com, or executing cross-site search attacks against
bing.com), and that attackers would be sincerely unlikely to delegate helpful metadata collection to their victims via
I’ve previously suggested that this design encourages developers to start any user session with a redirect to capture full CH data before producing a page.
That’s a thing that could happen. It has minor perf impacts. But since we’d ideally redirect through the apex of a registrable domain anyway to set
Strict-Transport-Security headers with
includeSubdomains, it’s not clear that it’s actually not best practice?
Thanks again for your feedback!