[Proposal] Reduce fingerprinting in the Accept-Language header

A problem

Chrome (and other browsers) send all of the user’s language preferences on every HTTP request via the Accept-Language header. The header’s value contains a lot of entropy about the user that is sent to servers by default. While some sites use this information for content negotiation, servers can also passively capture this information without the user’s awareness to fingerprint a user. As part of the Chrome team’s anti-covert tracking efforts, we would like to improve privacy protections by minimizing passive fingerprinting surfaces.

A proposal

Hi @victortan, are you looking for feedback here, on in GitHub?

I’m wondering how this works with redirects.

For example, I have a site whose root page redirects based on the first matching language in the Accept-Language header.

e.g. https://mysite.org/ redirects to either https://mysite.org/en/ or https://mysite.org/ja/

This allows linking to or bookmarking a specific language-version site since the user may choose to navigate to an alternate language based on their preferences.

Is the proposal here that the 301 redirect response includes the Content-Language / Vary / Variants headers?

1 Like

Hi @birtles , sorry for the late response. I haven’t received the email notifications for discourse link comments. I will reply in Github. Thanks.