The Critical-CH header can trigger a request re-try. It's for situations
where the browser could be unaware of the site's CH preferences (like the
first navigation request to a site before the browser has received and
stored CH preferences) or if a site has changed those references, and the
site would rather drop the request and retry over getting a potentially
"incomplete" request

This would *not* override potential mitigations or reductions in
fingerprinting surfaces imposed by the browser. Any headers that would be
blocked would still be silently dropped.

(cc davidben, mjs who I forgot to CC the first time)

On Thu, Jan 28, 2021 at 9:35 PM Ryosuke Niwa <> wrote:

> What's the point of specifying Critical-CH as opposed to relying on CH
> provided by the browser?
> Is the idea that some browsers may decide to hide some client hints to
> reduce the fingerprinting surface?
> If so, then this new header seems to just defeat that because a website
> can specify all the client hints as critical.
> - R. Niwa
> On Wed, Jan 27, 2021 at 4:40 AM Aaron Tagliaboschi via webkit-dev <
>> wrote:
>> Explainer:
>> Draft Spec:
>> The Client Hint Reliability proposal is a set of features aimed at making
>> Client Hints
>> <> more
>> reliably available and mitigating
>> mis-matches between a site's preferences and the preferences stored in
>> the browser. The idea
>> behind the Critical-CH response header is to signal to browsers that
>> there are hints the server
>> would rather pay a round trip than not have not the first request. The
>> basic algorithm is as follows:
>> If, after receiving a request with Critical-CH and Accept-CH headers,
>> there is a hint indicated in
>> the Critical-CH header that the browser did not send but would not block
>> sending, the browser
>> should store the new CH preferences, drop the request, and start a new
>> one with the new
>> headers included.
>> Aaron Tagliaboschi | Software Engineer, Chrome Trust & Safety
>> _______________________________________________
>> webkit-dev mailing list
webkit-dev mailing list

Reply via email to