Contact emails [email protected], [email protected]
Explainer https://github.com/WICG/ua-client-hints#user-agent-client-hints Specification https://wicg.github.io/ua-client-hints/#grease Summary We seek to align our implementation of GREASE in User Agent Client Hints with the current spec, which includes additional GREASE characters beyond the current semicolon and space, and which recommends varying the arbitrary version. This is to help prevent bad assumptions from being built on top of User-Agent strings. After experimentation over the course of several releases, we propose to make the updated algorithm the default behavior starting with M103. See below for potential risks and their mitigation. Blink component Privacy>Fingerprinting <https://bugs.chromium.org/p/chromium/issues/list?q=component:Privacy%3EFingerprinting> TAG review N/A. This is a small change to a feature that was already reviewed by the TAG <https://github.com/w3ctag/design-reviews/issues/640>. TAG review status Not applicable Risks Interoperability and Compatibility A prior implementation including escaped ASCII 0x22 (double quote) and 0x5C (backslash) proved to be web incompatible and was rolled back. We do not anticipate similar issues with the updated algorithm, because experimentation was run in M98 and M99 (during February and March, 2022), and did not uncover statistically significant shifts in response codes, with the worst finding showing a potential effect size of an additional 2-3 requests per 100k returning 502 responses; it was marked low-to-medium statistical confidence and did not show up consistently across timeframes and platforms, leading us to believe it was noisy. We have also not been able to find bug reports tied to the changes. However, because there are hundreds of permutations of the GREASE string, we also performed the following set of safety checks: - Ran a multi-group experiment where each of the new characters was checked in the canary and dev channels; we again did not get statistically significant results for response codes. - Ran a fuzzer against the top 10,000 sites (per Tranco <https://tranco-list.eu/>) with each of the new characters and did not observe breakage. - Per experimental results, special attention was paid to 502 responses; none seen with the fuzzer were reproducible in canary with the updated algorithm, reinforcing our belief that the 502 metric was just occasionally noisy. - Implemented and will maintain for at least an additional 1 year an enterprise escape hatch to opt out of the new behavior; that timeframe will ensure sufficient coverage of permutations. - Implemented and will maintain for the same timeframe the ability to override the behavior via Finch if problems are uncovered. - Implemented once-per-version rotation of the string, meaning we would have the full release cycle to uncover any issues with a given permutation, much like we do with any other change to chromium. Gecko: Non-harmful ( https://mozilla.github.io/standards-positions/#ua-client-hints) WebKit: No signal on this particular change. But unofficially mildly positive <https://lists.webkit.org/pipermail/webkit-dev/2020-May/031201.html> on UA-CH as a whole. Web developers: No signals WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? No; Android WebView is not affected. Debuggability N/A; no change required Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> ? Yes Flag name --enable-features="GreaseUACH:updated_algorithm/true" Requires code in //chrome? False Tracking bug https://bugs.chromium.org/p/chromium/issues/detail?id=1164423 Anticipated spec changes None Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5630916006248448 Links to previous Intent discussions Intent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/ueudFsZzT1M Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGg35ayyQVGYm%2BE7LreK50L0drNSuBJGHhrcqEK00pqefJ8fPQ%40mail.gmail.com <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/cagg35ayyqvgym+e7lrek50l0drnsubjghhrcqek00pqefj8...@mail.gmail.com> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGg35ax2ckar8632L81A4-Yo%3DFumAKr3AP_iwGnpZXvH%3DYePmg%40mail.gmail.com.
