[Proposal] Reduce fingerprinting in the Accept-Language header

victortan · 2022-04-19

A problem

Chrome (and other browsers) send all of the user’s language preferences on every HTTP request via the Accept-Language header. The header’s value contains a lot of entropy about the user that is sent to servers by default. While some sites use this information for content negotiation, servers can also passively capture this information without the user’s awareness to fingerprint a user. As part of the Chrome team’s anti-covert tracking efforts, we would like to improve privacy protections by minimizing passive fingerprinting surfaces.

A proposal

birtles · 2022-04-26

Hi @victortan, are you looking for feedback here, on in GitHub?

I’m wondering how this works with redirects.

For example, I have a site whose root page redirects based on the first matching language in the Accept-Language header.

e.g. https://mysite.org/ redirects to either https://mysite.org/en/ or https://mysite.org/ja/

This allows linking to or bookmarking a specific language-version site since the user may choose to navigate to an alternate language based on their preferences.

Is the proposal here that the 301 redirect response includes the Content-Language / Vary / Variants headers?

victortan · 2022-04-28

Hi @birtles , sorry for the late response. I haven’t received the email notifications for discourse link comments. I will reply in Github. Thanks.

dtruffaut · 2022-07-19

github.com/Tanych/accept-language

Vary = cache miss | Proposal = /.well-known/accept-language

opened 11:56PM - 16 Jul 22 UTC

dtruffaut

# Problem Given - Developers need to send a Vary header on Accept-Language … - Accept Language has lots of variations (language, script, region, subtags...) This solution could lead to multiply each cache entry (example.com has many urls) by an order of thousand (all accept-language variations), leading to cache exclusions (LRU), thus tons of cache misses on edge servers. This would hurt performance a lot. References on Vary and locales: - https://www.fastly.com/blog/best-practices-using-vary-header#bad-to-the-bone - https://www.rfc-editor.org/rfc/rfc4647.txt (search for "goethe") - https://www.soluling.com/Help/MultiScriptLanguages.htm # Solution Expose accepted languages on a well-known url > /.well-known/accept-language >es fr en en-US en-GB pt pt-BR zh zh-Hant 1) When user goes to example.com, the static page `/.well-known/accept-language` is queryied in parallel, and cached accordingly. 2) While the page is loading, the Browser checks `/.well-known/accept-language` fast response and determines if there is a better language for the user among those proposed by example.com 3) If so, Browser stops navigation and send Accept-Language: es 4) Browser receives es content and displays it. 5) On further navigations, - If the cache of the `/.well-known/accept-language` is valid, Browser queries this local cached file, select the best language and send Accept-Language: es - If the cache of the `/.well-known/accept-language` file is expired, Browser goes to step 1) References on well-known urls: - https://web.dev/change-password-url/ Other possibilities: - robots.txt (easy, mastered by webdevs, but some noise involved by other information already present in that file) - dedicated sitemap (a little bit overwhelming)