18 votes

Intent to Deprecate and Freeze: The User-Agent string

5 comments

  1. [4]
    dblohm7
    Link
    The User Agent string is a dumpster fire. OTOH, Google's proposed cure might be worse than the disease, IMHO. (Personal opinion, does not reflect stance of my employer, etc.)

    The User Agent string is a dumpster fire. OTOH, Google's proposed cure might be worse than the disease, IMHO. (Personal opinion, does not reflect stance of my employer, etc.)

    9 votes
    1. [3]
      skybrian
      Link Parent
      I don't know either, but I did skim the proposal. Some parts seemed like good improvements and other parts seemed vague.

      I don't know either, but I did skim the proposal. Some parts seemed like good improvements and other parts seemed vague.

      2 votes
      1. [2]
        dblohm7
        Link Parent
        Once concern that I personally have is that Client Hints are being done as part of their "Privacy Sandbox" project, which is a very Google-centric initiative. How that actually pans out in terms...

        Once concern that I personally have is that Client Hints are being done as part of their "Privacy Sandbox" project, which is a very Google-centric initiative. How that actually pans out in terms of specs will be key: if client hints are usable apart from other privacy sandbox tech, then it will be useful to other browser engines. If we need to support all privacy sandbox tech in order to use client hints, then we're just handing another feature over to Google.

        5 votes
        1. skybrian
          Link Parent
          It looks like the intention is that "client hints" becomes a web standard separately from the rest. I linked about to a W3C proposal and there is also an IETF draft and a separate intent to ship...

          It looks like the intention is that "client hints" becomes a web standard separately from the rest. I linked about to a W3C proposal and there is also an IETF draft and a separate intent to ship for Client Hints on the Chromium mailing list.

          No word yet on whether the other browsers will play ball; I guess this proposal is too new?

          2 votes
  2. skybrian
    Link
    From the article: [...]

    From the article:

    We want to freeze and unify (but not remove) the User Agent string in HTTP requests as well as in navigator.userAgent

    [...]

    There have been past attempts at UA string freezing from the Safari team, but without an alternative way to perform UA based content-negotiation, they had to be partially reverted.

    The User Agent Client Hints (UA-CH) feature provides an alternate source for the information the User-Agent string provides, both in its request header form as well as its JS API one.

    Its main advantages are:

    • It provides the required information only when the server requests it, over secure connections, making any fingerprinting that relies on it be active fingerprinting, which enables such use to be audited, as well as acted-upon by the browser (e.g. in a future implementation of the Privacy Budget).

    • It provides the information in small increments, so servers are only exposed to the information they need and request, rather than being exposed to the full gamut of the UA string even if they are just trying to figure out one detail about the browser. (e.g. brand and major version)

    • Since it provides the information via dedicated fields, it enables better ergonomics and makes it less likely for servers to get it wrong and cause compatibility issues.

    • And finally, starting fresh will enable us to drop a lot of the legacy baggage that the UA string carries (“Mozilla/5.0”, “like Gecko”, “like KHTML”, etc) going forward.

    4 votes