Closed dannette closed 11 months ago
Thank you, it has indeed been well on my mind the last couple weeks.
You'll still be able to detect that it is Chrome but the Version and OS will no longer be reliable.
On the one hand I'm kinda sad about it, on the other hand it is legitimately a powerful detail used in fingerprinting.
I just wish there was a solution other than "use JavaScript" to get browser information moving forward, as that complicates a lot of things.
I'm pinning your ticket as I'm sure others will come with questions.
Will we be able to still get the platform/device type do you think?
Google will unify the UA desktop OS string as a common value for desktop browsers. Google will also unify mobile OS/device strings as a similarly common value.
So presumably we'll be able to seperate Desktop from Mobile, but not say Windows from macOS or Android from iOS
https://blog.chromium.org/2021/09/user-agent-reduction-origin-trial-and-dates.html
This has taken chrome a lot longer to rollout than expected. From the sound of it, it won't begin rolling out until ~Chrome 101
It does however seem like we will be able to use the Sec-CH-UA
/ Sec-CH-UA-Mobile
/ Sec-CH-UA-Platform
headers to get some information about what version of Chrome we're seeing server side, so that's helpful at the very least.
@donatj I use this library in an app for my work and have client hints coming up as something to address. Would be happy to help with implementation if you are interested.
A reference for how the user agent is changing: https://www.chromium.org/updates/ua-reduction/
Does seem like you will be able to differentiate OS as well as desktop/mobile. The version will just be unreliable.
@donatj As this is coming up for my work, I'm going to do a fork (and then I'll do a PR back to here) to add unit tests for the reduced strings, just to assure they will work (it looks to me like they will).
I'm also going to look into how to add the client hints support.
Looks like client hints are opt-in based on the server (you have to send what headers you want). So it seems like they could be implemented as a separate option. Seems like either:
@derikb Reading your first link, it seems like we'll still get three major data points
I'm curious if major Chrome version is enough for most people? It's been enough for my needs anyway.
I'm open to the idea of parsing Sec-CH-UA*
headers, and if non-Chromium browsers choose to support them in the future they'd probably be the default source of data
I'm confused about Accept-CH
on the response. Does that set the requested Sec
headers for subsequent responses? Clearly not on the initial response as you've already sent it. If I needed them now, would I just redirect? Seems like more of a dance than I'm happy about.
Yeah, that whole Accept-CH things seems a bit over complicated. (I'm reading it the same way you are.) Would seem simpler to let the browser/user decide what strings they want to expose.
Those sample Sec-CH-UA headers in that MDN page are a bit crazy too. Confused why they all have incorrect brand strings as well as a generic and a specific string. Makes the parsing more complicated for sure.
Seems like at least a good first step for the forthcoming Chrome changes is making sure the "reduced" strings work/parse right.
Maybe a good second step is just parsing Sec-CH-UA if the UA is empty (so it's just a fallback albeit one with slightly less data), since that seems to get passed all the time, if I'm reading that correctly.
Forked the repo and went through the info in https://www.chromium.org/updates/ua-reduction/ and compared to existing unit tests (and tried a few minor variations based on their examples) and I don't see anything that needs changing to handle the reduced user agents. The main difference I can see as far as the base platform/browser/version data goes is that version will be pegged to major version only.
If I am reading this all correctly, the UA strings in Chrome are not actually being removed yet. So if you only need the basic OS, browser, and browser major version data, you don't actually need to us client hints (At this time).
I'm going to close this, we're well into "the future" now and we're still doing roughly OK with the limited but still existing UAs
I'm hopeful this will stay pinned while being closed. If not, I may reopen it.
I just read an article on zdnet.com https://www.zdnet.com/article/google-to-phase-out-user-agent-strings-in-chrome/ and was wondering if that will make this not work anymore.