Chromium proposal to use client hints in parallel with diminished User-Agent headers
The role of the HTTP header 'User-Agent' might diminish in 2020 as future versions of Chromium may freeze and then replace the HTTP header. Google propose providing information about the device, operating system, browser, and architecture with a client hint implementation, which gives slightly more control to the user. The proposal is yet to be reviewed by the W3C and is open to consultation.
If adopted client hints will require a few simple changes for a web site to continue to gain access to information about the device, browser, and operating system. It is almost identical to the techniques already needed to fully identify web browsers such as Opera or UC. As such 51Degrees data files and APIs already support the concepts of client hint user-agent header without any modifications to the deployed API.
This blog provides a technical overview of the changes and explains how 51Degrees already supports the client hint user-agent model.
The proposed change to client hints appears to be driven out of a desire to improve the perception of privacy associated with web browsing.
The User-Agent string - a sequence of characters that can be used with 51Degrees and other device detection services - is perceived to represent a privacy risk as it contains limited non-personal information about the browser, operating system, and device. Users have little control (beyond their choice of web browser vendor) over the data that is sent about their device, operating system, or browser. Personal information should never be included in the User-Agent header. The assertion that a privacy risks exists is yet to be substantiated.
From an engineering perspective, the User-Agent string is inefficient as it contains many characters and is unstructured. 51Degrees has built a set of technologies specifically to make sense of these strings.
Client hints could remove much of the complexity associated with identifying the browser, operating system, and device. Client hints do not remove the need to maintain an accurate catalog of the associated device, browser, and operating system data.
A User-Agent is sent with every HTTP request to inform the web server, site, and service about the capabilities of the user's agent. Here's an example from a Pixel 2 XL.
Mozilla/5.0 (Linux; Android 8.0.0; Pixel 2 XL Build/OPD1.170816.0a04) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Mobile Safari/537.36
Algorithms developed by 51Degrees can turn this single string of characters into information about the device (Pixel 2 XL), operating system (Android 8), and browser (Chrome 79) with over 99.9% accuracy.
Such information is essential to analyze web traffic accurately, diagnose browser or device-specific issues such as slow performance of video rendering, and to adapt the web site to the specific capabilities of the device. Other use cases include.
- Providing web services such as news and commerce in developing countries.
- Dynamic creation of Content Security Policies (CSP).
- Programmatic advertising. Most recent standards have the single User-Agent string baked in.
- Understanding web traffic to improve experiences - analytics.
- Servicing applications to Android devices.
- Fraud and non-human identification services.
- Diagnosing slow performance or UI problems based on actual devices, not the high-end ones used exclusively by web professionals.
- Optimizing images and video.
User Agent Client Hints
At the time of writing - mid-January 2020 - much detail is still needed concerning the specific information and the proposal is yet to be agreed. A summary of the various working papers and statements would suggest the following.
Unlike the User-Agent - which is sent out with every single web request - client hints in Chrome are likely only to hand out the information when two conditions are satisfied.
- the web site asks for the information, AND
- the user and the browser vendor allow it.
When the two conditions are satisfied, user agent clients will send the associated data in structured header fields during subsequent responses.
The W3C defines a complete list of client hints in the working paper, the User-Agent Client Hints Draft Community Group Report as.
|Sec-CH-Arch||Architecture of the platform. E.g. ARM64|
|Sec-CH-Model||Model of the user agent. E.g. Pixel 2 XL|
|Sec-CH-Platform||Platform on which a given user agent is executing. E.g Android 8.0|
|Sec-CH-UA||User agent’s branding and version. E.g. Chrome 79|
|Sec-CH-Mobile||Information about whether a user agent prefers a 'mobile' user experience. E.g true or false. It’s not clear how a mobile is defined and by whom which is why this business prefers Sec-CH-Model to enable the web service to decide.|
Table 1- probable user agent client hint headers
They can be requested either via an HTTP response header or via the HTML <meta> element. An example of a possible implementation follows.
1. Via HTTP headers in the response from the webserver.
Accept-CH: Arch, Model, Platform, UA, Mobile
2. Via HTML.
<meta http-equiv='Accept-CH' content='Arch, Model, Platform, UA, Mobile'>
User-agent data via client hints is unlikely to be available to third parties e.g., cloud analytical services, such as Google Analytics.
What does this mean?
The User-Agent string (not the same as a 'user's agent': the device, operating system, and browser they're using) as an unstructured sequence of characters was never an ideal method of providing the information.
What to change?
Not all browsers, app, and crawlers will adopt the change.
Web professionals will need to adapt to the techniques used above and run both User-Agent header and client hint techniques for many years to come. 51Degrees data files and APIs already support the concepts of client hint user-agent header without any modifications to the deployed API.
Data models that rely on a single string of characters to represent the user agent, for example, Open Real-Time Bidding in programmatic advertising - will need to be adjusted to either consolidate the client hint fields or follow the same data model. This will require cross-industry working in many cases.
51Degrees are well placed to help with the migration and automatically provide information about device, browser, and operating system when client hints become mainstream. For the majority of users, the main change will be to request client hint headers and provide these additional headers as evidence to the 51Degrees cloud or on-premise APIs.
For those who feel the proposal has not been well thought through, relies on unproven techniques, and will diminish the web for a significant number of people - particularly in developing countries - getting in contact with Chromium is essential.
Two simple methods are to post on the following GitHub and Chromium groups.