LGTM1 Thanks for aligning with the spec and tackling this change carefully. Hoping it sticks.
On Tue, May 3, 2022 at 4:18 PM Matt Reichhoff <[email protected]> wrote: > Contact emails > > [email protected], [email protected] > > Explainer > > https://github.com/WICG/ua-client-hints#user-agent-client-hints > > Specification > > https://wicg.github.io/ua-client-hints/#grease > > Summary > > We seek to align our implementation of GREASE in User Agent Client Hints > with the current spec, which includes additional GREASE characters beyond > the current semicolon and space, and which recommends varying the arbitrary > version. This is to help prevent bad assumptions from being built on top of > User-Agent strings. > > After experimentation over the course of several releases, we propose to > make the updated algorithm the default behavior starting with M103. See > below for potential risks and their mitigation. > > Blink component > > Privacy>Fingerprinting > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Privacy%3EFingerprinting> > > TAG review > > N/A. This is a small change to a feature that was already reviewed by the > TAG <https://github.com/w3ctag/design-reviews/issues/640>. > > TAG review status > > Not applicable > > Risks > Interoperability and Compatibility > > A prior implementation including escaped ASCII 0x22 (double quote) and > 0x5C (backslash) proved to be web incompatible and was rolled back. > > We do not anticipate similar issues with the updated algorithm, because > experimentation was run in M98 and M99 (during February and March, 2022), > and did not uncover statistically significant shifts in response codes, > with the worst finding showing a potential effect size of an additional 2-3 > requests per 100k returning 502 responses; it was marked low-to-medium > statistical confidence and did not show up consistently across timeframes > and platforms, leading us to believe it was noisy. We have also not been > able to find bug reports tied to the changes. > > However, because there are hundreds of permutations of the GREASE string, > we also performed the following set of safety checks: > > - > > Ran a multi-group experiment where each of the new characters was > checked in the canary and dev channels; we again did not get statistically > significant results for response codes. > - > > Ran a fuzzer against the top 10,000 sites (per Tranco > <https://tranco-list.eu/>) with each of the new characters and did not > observe breakage. > - > > Per experimental results, special attention was paid to 502 > responses; none seen with the fuzzer were reproducible in canary with > the > updated algorithm, reinforcing our belief that the 502 metric was just > occasionally noisy. > - > > Implemented and will maintain for at least an additional 1 year an > enterprise escape hatch to opt out of the new behavior; that timeframe will > ensure sufficient coverage of permutations. > - > > Implemented and will maintain for the same timeframe the ability to > override the behavior via Finch if problems are uncovered. > - > > Implemented once-per-version rotation of the string, meaning we would > have the full release cycle to uncover any issues with a given permutation, > much like we do with any other change to chromium. > > > Gecko: Non-harmful ( > https://mozilla.github.io/standards-positions/#ua-client-hints) > > WebKit: No signal on this particular change. But unofficially mildly > positive > <https://lists.webkit.org/pipermail/webkit-dev/2020-May/031201.html> on > UA-CH as a whole. > > Web developers: No signals > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > No; Android WebView is not affected. > > > Debuggability > > N/A; no change required > > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> > ? > > Yes > > Flag name > > --enable-features="GreaseUACH:updated_algorithm/true" > > Requires code in //chrome? > > False > > Tracking bug > > https://bugs.chromium.org/p/chromium/issues/detail?id=1164423 > > > > Anticipated spec changes > > None > > > Link to entry on the Chrome Platform Status > > https://chromestatus.com/feature/5630916006248448 > > Links to previous Intent discussions > > Intent to prototype: > https://groups.google.com/a/chromium.org/g/blink-dev/c/ueudFsZzT1M > Intent to Experiment: > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGg35ayyQVGYm%2BE7LreK50L0drNSuBJGHhrcqEK00pqefJ8fPQ%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/cagg35ayyqvgym+e7lrek50l0drnsubjghhrcqek00pqefj8...@mail.gmail.com> > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGg35ax2ckar8632L81A4-Yo%3DFumAKr3AP_iwGnpZXvH%3DYePmg%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGg35ax2ckar8632L81A4-Yo%3DFumAKr3AP_iwGnpZXvH%3DYePmg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfU8ePzEvS%3DL6jjTZa0sTsqO0TROmF66qLm7onxAXM2uPg%40mail.gmail.com.
