Re: [w3ctag/design-reviews] Partial freezing of the User-Agent string (#467) from Scott Low on 2020-02-13 (public-webapps-github@w3.org from February 2020)

From: Scott Low <notifications@github.com>
Date: Wed, 12 Feb 2020 22:29:34 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/467/585573166@github.com>

As @yoavweiss mentioned above, issue [#52](https://github.com/WICG/ua-client-hints/issues/52) in the UA Client Hints repository attempts to summarize much of the ongoing debate here, particularly around GREASE.

My concern with browsers pretending to be other browsers some fixed percentage of the time is twofold:
- First, as @torgo mentioned above, this will make it hard for minority browsers to have their share accurately tracked since it will be unclear how much share should be attributed to actual browser usage versus GREASEd values coming from more popular browsers.
- Second, it will lead to "by design" compatibility issues. When we moved to Chromium, a substantial portion of the UA-related bugs we received from users were from them reporting security emails that stated "We noticed you just logged in from a new Chrome browser" rather than "Edge". This was the result of sites not yet detecting our new "Edg" token as "Edge". These types of issues (i.e. ones where sites legitimately need a stable, accurate per-browser identifier) will become more prevalent by design if all browsers start pretending to be other browsers some amount of the time.

While we certainly ran into a few sites that blocked the new Edge based on the fact that it had an unknown "Edg" token ([web.whatsapp.com](https://web.whatsapp.com) was one example), the far more common cause of breakage that we encountered was from sites that started detecting our "Edg" token as a unique browser, but failed to update their per-browser allow lists to include the new Edge. As @mgol mentioned above:

> These issues wouldn't exist if sites were targeting engines by default instead of browser names 

While I admit that exposing engine by default and letting sites opt into receiving brand information using `Accept-CH: UA` does not address the issues of enabling allow/block lists being created (at least not without some discouragement from opting into additional client hints via something like [Privacy Budget](https://github.com/bslassey/privacy-budget)), my hypothesis is that it would encourage site developers to build allow lists off of well-defined equivalence classes, thus reducing the number of compatibility issues caused by allow lists constructed from per-browser identifiers.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/467#issuecomment-585573166

Received on Thursday, 13 February 2020 06:29:50 UTC