search

phetsims / phet-core

Core utilities used by all PhET simulations.
MIT License
8 stars 6 forks source link

Audit usage of navigator userAgent, appVersion, and platform #90

Closed jessegreenberg closed 2 years ago

jessegreenberg commented 3 years ago

Putting in phet-core because that is where platorm.js lives, but there are usages of these in a few places in the project.

@Nancy-Salpepi noticed this warning while testing involving a reduction in the amount of information available in the User Agent string. image

Here is information from Chrome about the changes and timeline: https://blog.chromium.org/2021/05/update-on-user-agent-string-reduction.html

jessegreenberg commented 3 years ago

Just noting the parts from https://blog.chromium.org/2021/05/update-on-user-agent-string-reduction.html that I found important:

Regarding timeline:

no User-Agent string changes will be coming to the stable channel of Chrome in 2021.

Regarding compatibility:

Once this is complete, you will still be able to reliably get the browser major version, platform name, and distinguish between desktop and mobile (or tablet), solely from the User-Agent string. For more advanced use cases, you should migrate to the User Agent Client Hints API.

Our plan was designed with backwards compatibility in mind, and while any changes to the User Agent string need to be managed carefully, we expect minimal friction for developers as we roll this out (i.e., existing parsers should continue to operate as expected).

If your site, service, library or application relies on certain bits of information being present in the User Agent string such as Chrome minor version, OS version number, or Android device model, you will need to begin the migration to use the User Agent Client Hints API instead.

If you don’t require any of these, then no changes are required and things should continue to operate as they have to date.

I don't see anything in platform.js about Chrome version number, OS version number, or Android device model. So we may be OK with this change. But adding to developer meeting to review with the team and check if anything should be done.

samreid commented 3 years ago

I noted that there are numerous usages of navigator.userAgent outside of platform.js as well. A few usages of navigator.platform elsewhere.

jessegreenberg commented 3 years ago

Discussed 8/19/21 at developer meeting:

It doesn't seem like we are using the features of the user agent strings that are being changed. According to https://blog.chromium.org/2021/05/update-on-user-agent-string-reduction.html there will be a trail version that we can test before the change goes live. When that is ready we can do some testing to make sure everything is still running OK.

@jonathanolson mentioned there might be some impacts on yotta but there likely isn't much we can do about it.

We added a reminder to the dev meeting doc to see if a Trail version of chrome with this change is ready yet since there aren't any dates listed in https://blog.chromium.org/2021/05/update-on-user-agent-string-reduction.html for when that will happen.

zepumph commented 2 years ago

Bringing back up to dev meeting.

jessegreenberg commented 2 years ago

According to https://blog.chromium.org/2021/09/user-agent-reduction-origin-trial-and-dates.html and https://developer.chrome.com/blog/user-agent-reduction-origin-trial/

We can register for a trail version with user agent reduction here: https://developer.chrome.com/origintrials/#/view_trial/-7123568710593282047

We have until April 19th 2022 to register.

zepumph commented 2 years ago

We We feel like this is worthy of discussion, but want to wait for @jonathanolson to be present. Before next week we would like to register in the link above, thanks for doing that @jessegreenberg.

MK sees that chrome's message recommends navigator.userAgentData, but @samreid mentioned that it is not broadly supported by browsers.

We will discuss next week!

jessegreenberg commented 2 years ago

We do NOT want to register PhET for a trail, apparently that impacts all users of our origin!

When Chrome offers an origin trial for a feature, you can register for the trial to enable the feature for all users on your origin, without requiring them to toggle any flags or switch to an alternative build of Chrome (though they may need to upgrade).

But I think we can register localhost and use that to test locally.

zepumph commented 2 years ago

High priority to make sure we get to this next week.

jessegreenberg commented 2 years ago

So I thought by "registering" we would be able to download a trial version of Chrome. But you actually have to enable this feature with a response header from your own server. So here are the steps I took to be able to test this. I had to modify the source of http-server. If you have access to a config file with something like apache maybe you will have an easier time.

  // For Chrome testing
  this.headers['Origin-Trial'] = '{{THE_KEY_YOU_RECEIVED_FROM_STEP_1}}';
  this.headers['Accept-CH'] = 'Sec-CH-UA-Reduced';
  this.headers['Critical-CH'] = 'Sec-CH-UA-Reduced';

And I can see a difference in the user agent string, such as the minor version of Chrome being 0.0.0 image

Here it is without the headers: image

jessegreenberg commented 2 years ago

I don't think we have anything to worry about here for sims. Here is the best list I found with examples about what is changing: https://www.chromium.org/updates/ua-reduction/#sample-ua-strings-phase-4

To summarize:

Assigning to @jonathanolson to confirm if you agree and also to consider if there are implications for yotta.

jonathanolson commented 2 years ago

No implications for yotta (we don't use the data that was reduced). I've scanned everything and I agree that this should not affect sims. It looks like our normal detections should work.

jessegreenberg commented 2 years ago

Comments during status meeting today confirmed that this is safe for us, we can close.