search

WICG / ua-client-hints

Wouldn't it be nice if `User-Agent` was a (set of) client hints?
https://wicg.github.io/ua-client-hints/
Other
590 stars 77 forks source link

3rd Party Fraud protection #276

Closed dgstpierre closed 1 year ago

dgstpierre commented 2 years ago

I'm seeing some discussion on fraud prevention issues, but only in reference to first party. There are many of us that provide third party fraud prevention for clients that are not tech savvy. Just look at the Market Research industry for a wealth of examples. We critically rely on getting the full browser and OS versions by default for our detection techniques (especially of bots) as opposed to using them to track. Blurring Fingerprinting as bad, in general, when it is a major fraud prevention technique seems to be a flawed and narrow opinion.

Why not allow the Sites to decide? And not just first party. Will there be a mechanism for the Sites to make that decision and allow 3rd Parties to have access to all the detail by default so no additional handshaking is necessary before rolling out all these fraud prevention damaging changes? I don't see a good reason for not allowing this and should be thought through before rolling something out that limits this information and damages third party fraud prevention companies.

amtunlimited commented 2 years ago

If you're asking about how client hint headers can be delegated to 3rd party requests, see https://web.dev/user-agent-client-hints/#hint-scope-and-cross-origin-requests

TL;DR 1st parties can use the Permissions-Policy header to delegate client hints headers. We're also working on a completely markup-based solution (cc @arichiv)

If you're asking about the JS userAgentData API, there's currently no 3rd party blocking.

dgstpierre commented 2 years ago

Got it, I'll try out the Permissions-Policy. I didn't realize that the JS userAgentData API was not restricted, if as a third party I have access to the full set of hints through that that will be extremely helpful.

Related question is how do we require upfront that all the detailed hints are provided so that a second request doesn't have to be made? The approach of subsequent requests doesn't work when we need to identify fraud on the first request.

Sora2455 commented 2 years ago

Through the Critical CH header, I imagine.

dgstpierre commented 2 years ago

Where do I go to follow the Permissions-Policy markup-based solution as that sounds like what I'll need my clients to use by adding the permissions to the pages I'm embedded on? Thanks

miketaylr commented 2 years ago

https://github.com/WICG/client-hints-infrastructure/issues/73 was the PR that added it to the CH Infra spec, and https://bugs.chromium.org/p/chromium/issues/detail?id=1219359 is the bug that tracks that work in Chromium.

miketaylr commented 1 year ago

I think this issue can be closed now (let me know if I'm mistaken).