Re: [w3ctag/design-reviews] User-Agent Client Hints & UA Reduction (#640) from Mike Taylor on 2021-08-23 (public-webapps-github@w3.org from August 2021)

From: Mike Taylor <notifications@github.com>
Date: Mon, 23 Aug 2021 10:12:10 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/640/903958398@github.com>

> Currently, UA Client Hints doesn't send Sec-CH-UA-Platform by default has an opt-in mechanism where the server sends e.g. Accept-CH: Sec-CH-UA-Platform and then the browser starts sending the platform in Sec-CH-UA-Platform.

This used to be true. In https://github.com/WICG/ua-client-hints/pull/221, Sec-CH-UA-Platform was changed to a default, low-entropy hint (which was implemented in Chrome 93 and should ship to the stable channel later this month). The rationale can be found in the linked issue, or in [this doc](https://docs.google.com/document/d/122TG71j9LC_Ne_-vzoNBRFUwi_irIuyi_xYFE1o4iKU/edit) I wrote up (the tl;dr is compatibility concerns and platform is passively observable anyways, unless you're behind a network proxy, for example).

> The corresponding alternative that I'd like to understand the evaluation of would be:
> By default send a User-Agent header that claims Windows even on non-Windows platforms.
If the server sends Accept-UA: platform (making up syntax for illustration), subsequently the browser sends a User-Agent header with the real platform (which may still be Windows). (And don't send any Sec-CH-UA-* headers.)

This is partially the original design of UA-CH (default everything to Windows 10), but as that linked doc describes, it's not currently shippable on the web without breaking some important a11y use-cases on legacy sites (primarily keyboard shortcuts).

It's entirely possible that my conclusions are incorrect. This is where another browser engine experimenting with these ideas would be useful. I'm open to making changes to UA-CH based on implementer feedback and experience.

Like @marcoscaceres suggested in https://github.com/w3ctag/design-reviews/issues/640#issuecomment-896413026, I'm open to doing the work to split the spec between HTTP and JS APIs if Mozilla would like to experiment with your proposed alternative through the JS interface. https://github.com/WICG/ua-client-hints/issues/249 would be a good place to follow up on that.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/640#issuecomment-903958398

Received on Monday, 23 August 2021 17:12:23 UTC