User login notification - avoid steering web developers to client side JavaScript

[jwrosewell]

The User login notification section of the Draft Report states the following.

Since such messaging doesn’t require any server-side adaptation, it’s better for this case to use the userAgentData.getHighEntropyData() method in order to retrieve the required information.

We know that login notification methods, often provided by B2B suppliers to B2C web site operators, record the device model so that people can inspect their activity and see the different devices used.

The following example shows the laptop model code used to login to an email solution where the entire solution is operated by a highly integrated B2C organisation.

In my experience this is most often achieved server side from the User-Agent string value rather than via JavaScript. The document should be modified to avoid steering developers towards client side technologies.

[miketaylr]

The document should be modified to avoid steering developers towards client side technologies.

The spec doesn't (and shouldn't) claim the HTTP API is good and JS API is less good. Someone who has a different opinion might suggest we not mention server-side adaptation in https://wicg.github.io/ua-client-hints/#os-integration-use-case, for example.

(Besides, the Use Cases are non-normative - I'll add a note to make that more clear).