- From: Marco <notifications@github.com>
- Date: Fri, 07 Feb 2020 18:28:43 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/467/583693310@github.com>
Let me clarify why GREASE will *not* help *at all*, @mcatanzaro and @jyasskin: We all agree that website operators want to identify browsers for feature detection, compatibility checks and statistics. Browser vendors want to have their product identified for a known market share and for statistics. So website operators *will* find ways to detect the actual browser name and version (if possible in *any* way), and browser vendors *will* include the real name of their own product (at least for *most* requests). That’s why we’re here, and this is certain to happen again with a different implementation – simply because of the incentives and interests. Look what we have done as a community (i.e. the overall web community) [[1]](https://github.com/serbanghita/Mobile-Detect/blob/d5d87b40f52d3b6cab9b4485153e4ddfcb63b8c6/Mobile_Detect.php#L520) [[2]](https://developers.whatismybrowser.com/useragents/explore/) [[3]](https://developer.mozilla.org/en-US/docs/Web/HTTP/Browser_detection_using_the_user_agent) [[4]](https://developer.chrome.com/multidevice/user-agent). It will happen again. [Hundreds of libraries](https://github.com/search?q=user+agent) will help do it. ### Today (`User-Agent` string) ``` Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36 ``` might be identified (in part) via ``` isChrome = uaString.contains("Chrome/[.0-9]* ") || uaString.contains("CriOS/[.0-9]* "); degradedExperience = !isChrome; ``` Sites like Google Docs [might be doing](https://github.com/w3ctag/design-reviews/issues/467#issuecomment-583104002) something like this today. ### Perhaps soon (`Sec-CH-UA` set) ``` "Chrome"; v="80" "Chrome"; v="80", "Chromium"; v="80" ``` might be identified (in part) via ``` isChrome = uaSet.contains("Chrome"); greatExperience = uaSet.contains("Chromium") || isChrome; degradedExperience = !greatExperience; ``` ### Perhaps soon (`Sec-CH-UA` set + [GREASE](https://github.com/WICG/ua-client-hints#should-the-ua-string-really-be-a-set)) GREASE is [“likely”](https://github.com/w3ctag/design-reviews/issues/467#issue-555594645) to be applied, but [optional](https://wicg.github.io/ua-client-hints/#sec-ch-ua). It [shouldn’t](https://github.com/WICG/ua-client-hints/issues/60) be optional. [Some parts](https://wicg.github.io/ua-client-hints/#sec-ch-ua) say the plan is to only “[a]ppend additional items” or “[r]andomize the order”. ``` "Chrome"; v="80", "NotBrowser"; v="12" "Foo"; v="10", "Chrome"; v="80" "Chrome"; v="81", "Bar"; v="64", "Chromium"; v="81" ``` That can be identified in the same way as above. It only solves the problem of websites blocking unknown browsers. But who does that? Websites can still block: ``` block = !uaSet.contains("Chrome") && !uaSet.contains("Firefox") && !uaSet.contains("Edge") && ...; ``` ### Perhaps soon (`Sec-CH-UA` set + [GREASE](https://github.com/WICG/ua-client-hints#should-the-ua-string-really-be-a-set) + drop self) The Brave and Firefox teams, for example, might want to put in “Chrome” as well, because website operators have added conditions on the presence of “Chrome” again. Chrome can now prevent this, though. [“Chrome might remove itself from the set entirely”](https://wicg.github.io/ua-client-hints/#grease). *Might*. I doubt it will happen, for the reasons outlined above. But it *might*. So now all website operators must be responsible citizens of the web and build equivalence classes based solely on the rendering engine: ``` greatExperience = uaSet.contains("Chromium"); degradedExperience = !greatExperience; ``` Now “Chromium” is the new “Chrome” and all browser vendors will add it as well. It will defeat a large part of the purpose of `Sec-CH-UA` once again: Statistics are less meaningful, and not every “Chromium” is like the other “Chromium”. Website operators want to know if it’s Real Chrome, not just something similar with different feature flags or defaults. And how will website operators detect Real Chrome with these hints? ``` "Foo Browser"; v="23", "Firefox"; v="72", "Gecko"; v="72" "Chromium"; v="80", "Bar Browser"; v="35", "Brave"; v="104" ``` It’s simple: ``` isChrome = !uaSet.contains("Firefox") && !uaSet.contains("Brave") && !uaSet.contains("Edge") && ...; ``` Others see the same problems or even further problems [[5]](https://github.com/WICG/ua-client-hints/issues/52) [[6]](https://github.com/WICG/ua-client-hints/issues/52#issuecomment-583024730) [[7]](https://github.com/w3ctag/design-reviews/issues/467#issuecomment-580404079) [[8]](https://github.com/WICG/ua-client-hints/issues/52#issuecomment-579602932) [[9]](https://github.com/WICG/ua-client-hints/issues/44). All in all, this variant of GREASE needs to solve *different* problems from the [*original* GREASE’s](https://tools.ietf.org/html/draft-ietf-tls-grease-01). It *can’t* solve these, and thus it will fail. We’ll be back to where we started, even *with* GREASE (which will only make things more complicated). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/467#issuecomment-583693310
Received on Saturday, 8 February 2020 02:28:51 UTC