Re: Migrating some high-entropy HTTP headers to Client Hints. from Mike West on 2018-11-30 (ietf-http-wg@w3.org from October to December 2018)

From: Mike West <mkwst@google.com>
Date: Fri, 30 Nov 2018 09:37:57 +0100
To: Martin Thomson <martin.thomson@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAKXHy=ctQxQssJCKd6-Zy+0eVq=xXoSNjZeLO7Cv4fh3h-wE7Q@mail.gmail.com>

On Fri, Nov 30, 2018 at 12:22 AM Martin Thomson <martin.thomson@gmail.com>
wrote:

> I think maybe I was predisposed to not like this, but I do like it.
> Not saying that I'm hugely enthusiastic about doing the CH part, but
> the bit were User-Agent becomes fixed is really appealing.
>

I am glad the concept overcame your potential predispositions! I think it's
a pretty natural extension of the CH infrastructure, and I think it's a
pretty reasonable compromise that gives us the breathing room to freeze the
UA string while not freezing out developers.

One thing we might consider, if the timing works out, is having user
> agents register their UA strings with us.  We can bake them into the
> QPACK static table so that we can save bits.  I don't want to
> privilege particular clients overly, so that only works if we have
> broad acceptance of the plan.
>

That seems pretty reasonable to me, though I'm not sure how much space we
have to work with in the static table. Chrome's current user agent string
comes in at around ~150 characters, depending on platform. Taking that as a
baseline, how many strings could we reasonably encode? Can the table expand
to an extend that would allow it to cover enough of the UA market?

-mike


> On Thu, Nov 29, 2018 at 9:26 PM Mike West <mkwst@google.com> wrote:
> >
> > Hey folks,
> >
> > Section 9.7 of RFC7231 rightly notes that some of the content
> negotiation headers user agents deliver in HTTP requests create substantial
> fingerprinting surface. I think it would be beneficial if we took steps to
> reduce their prevalence on the wire, and Client Hints looks like a
> reasonable infrastructure on top of which to build.
> >
> > `User-Agent` and `Accept-Language` seem like particularly tasty and
> low-hanging fruit, and I've sketched out two proposals as proofs of concept:
> >
> > *   `User-Agent` could be represented as ~four distinct hints: `UA`,
> `Model`, `Platform`, and `Arch`:
> https://github.com/mikewest/ua-client-hints is a high-level explainer,
> and https://tools.ietf.org/html/draft-west-ua-client-hints a sketchy ID
> for the new headers.
> >
> > *   `Accept-Language` could be represented as a `Lang` hint:
> https://github.com/mikewest/lang-client-hint is a high-level explainer,
> https://tools.ietf.org/html/draft-west-lang-client-hint an equally
> sketchy ID for the new header.
> >
> > I'd appreciate y'all's feedback. Thanks!
> >
> > -mike
>

Received on Friday, 30 November 2018 08:38:34 UTC