LGTM2
/Daniel
On 2022-05-03 16:23, Yoav Weiss wrote:
LGTM1
Thanks for aligning with the spec and tackling this change carefully.
Hoping it sticks.
On Tue, May 3, 2022 at 4:18 PM Matt Reichhoff
<[email protected]> wrote:
Contact emails
[email protected], [email protected]
Explainer
https://github.com/WICG/ua-client-hints#user-agent-client-hints
<https://github.com/WICG/ua-client-hints#user-agent-client-hints>
Specification
https://wicg.github.io/ua-client-hints/#grease
<https://wicg.github.io/ua-client-hints/#grease>
Summary
We seek to align our implementation of GREASE in User Agent Client
Hints with the current spec, which includes additional GREASE
characters beyond the current semicolon and space, and which
recommends varying the arbitrary version. This is to help prevent
bad assumptions from being built on top of User-Agent strings.
After experimentation over the course of several releases, we
propose to make the updated algorithm the default behavior
starting with M103. See below for potential risks and their
mitigation.
Blink component
Privacy>Fingerprinting
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Privacy%3EFingerprinting>
TAG review
N/A. This is a small change to a feature that was already reviewed
by the TAG <https://github.com/w3ctag/design-reviews/issues/640>.
TAG review status
Not applicable
Risks
Interoperability and Compatibility
A prior implementation including escaped ASCII 0x22 (double quote)
and 0x5C (backslash) proved to be web incompatible and was rolled
back.
We do not anticipate similar issues with the updated algorithm,
because experimentation was run in M98 and M99 (during February
and March, 2022), and did not uncover statistically significant
shifts in response codes, with the worst finding showing a
potential effect size of an additional 2-3 requests per 100k
returning 502 responses; it was marked low-to-medium statistical
confidence and did not show up consistently across timeframes and
platforms, leading us to believe it was noisy. We have also not
been able to find bug reports tied to the changes.
However, because there are hundreds of permutations of the GREASE
string, we also performed the following set of safety checks:
*
Ran a multi-group experiment where each of the new characters
was checked in the canary and dev channels; we again did not
get statistically significant results for response codes.
*
Ran a fuzzer against the top 10,000 sites (per Tranco
<https://tranco-list.eu/>) with each of the new characters and
did not observe breakage.
o
Per experimental results, special attention was paid to
502 responses; none seen with the fuzzer were reproducible
in canary with the updated algorithm, reinforcing our
belief that the 502 metric was just occasionally noisy.
*
Implemented and will maintain for at least an additional 1
year an enterprise escape hatch to opt out of the new
behavior; that timeframe will ensure sufficient coverage of
permutations.
*
Implemented and will maintain for the same timeframe the
ability to override the behavior via Finch if problems are
uncovered.
*
Implemented once-per-version rotation of the string, meaning
we would have the full release cycle to uncover any issues
with a given permutation, much like we do with any other
change to chromium.
Gecko: Non-harmful
(https://mozilla.github.io/standards-positions/#ua-client-hints
<https://mozilla.github.io/standards-positions/#ua-client-hints>)
WebKit: No signal on this particular change. But unofficially
mildly positive
<https://lists.webkit.org/pipermail/webkit-dev/2020-May/031201.html>on
UA-CH as a whole.
Web developers: No signals
WebView application risks
Does this intent deprecate or change behavior of existing APIs,
such that it has potentially high risk for Android WebView-based
applications?
No; Android WebView is not affected.
Debuggability
N/A; no change required
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>?
Yes
Flag name
--enable-features="GreaseUACH:updated_algorithm/true"
Requires code in //chrome?
False
Tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=1164423
<https://bugs.chromium.org/p/chromium/issues/detail?id=1164423>
Anticipated spec changes
None
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5630916006248448
<https://chromestatus.com/feature/5630916006248448>
Links to previous Intent discussions
Intent to prototype:
https://groups.google.com/a/chromium.org/g/blink-dev/c/ueudFsZzT1M
<https://groups.google.com/a/chromium.org/g/blink-dev/c/ueudFsZzT1M>
Intent to Experiment:
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGg35ayyQVGYm%2BE7LreK50L0drNSuBJGHhrcqEK00pqefJ8fPQ%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/cagg35ayyqvgym+e7lrek50l0drnsubjghhrcqek00pqefj8...@mail.gmail.com>
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGg35ax2ckar8632L81A4-Yo%3DFumAKr3AP_iwGnpZXvH%3DYePmg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGg35ax2ckar8632L81A4-Yo%3DFumAKr3AP_iwGnpZXvH%3DYePmg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfU8ePzEvS%3DL6jjTZa0sTsqO0TROmF66qLm7onxAXM2uPg%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfU8ePzEvS%3DL6jjTZa0sTsqO0TROmF66qLm7onxAXM2uPg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6c00a5ba-a891-2681-9125-ca4a91827083%40gmail.com.
