Comments (3)
miketaylr
commented on May 29, 2024
Hi @romainmenke, thanks for the issue!
One major challenge here are the non Safari browsers and webviews on iOS and Chromium based browsers like Edge, Samsung Internet, Opera, ...
To confirm, you mean all browsers on iOS, correct? Or do you also mean webview on Android?
I agree that it would be nice if Chrome for iOS supported UA-CH (as well as Safari).
My concern is that
brandandfull versionare too vague in the current specification.
Would you mind clarifying what you mean here?
from client-hints-infrastructure.
romainmenke
commented on May 29, 2024
To confirm, you mean all browsers on iOS, correct? Or do you also mean webview on Android?
I do not have an android device so I can not easily judge the situation on Android.
@romainmenke said :
My concern is that brand and full version are too vague in the current specification.
@miketaylr said :
Would you mind clarifying what you mean here?
The current behaviour for Chrome on iOS is to erase the information about the underlying engine in the user agent string. They replace it with CriOS/x.y.z.
The same is done by every other browser I could test in iOS except Brave. Brave chooses to preserve the actual information.
My concern is that brand and full version are too vague.
Do you list the brand and version of the label on the outside : CriOS x.y.z?
Or do you list the brand and version of the actual browser : Safari x.y.x?
The same issue exists for every Chromium based browser.
Is it Opera x.y.z or Chromium x.y.z.
This part of the specification is line with my concern :
While I'm optimistic that we can reset
expectations around sniffing by freezing the thing that's sniffed-
upon today, and creating a sane set of options for developers, it's
likely that this is hopelessly naive. It's reasonable to ponder what
we should do to encourage sniffing in the right way, if we believe
it's going to happen one way or another.
There are valid use cases for user agent sniffing for applications like polyfill.io.
These only intend to make as many websites work for as many people as possible.
But the current wording of the specification allows anything as brand and full version.
Also values which are non-bogus but still technically incorrect.
Requiring at least the inclusion of the underlying engine name and its version would be more useful in my opinion. But maybe this is not the intended use case for Sec-CH-UA?
from client-hints-infrastructure.
romainmenke
commented on May 29, 2024
To state it differently.
The current specification takes into account the anti-pattern of websites checking for older user agents and blocking end users from accessing content. It tries to prevent this with GREASE-like UA strings.
It however doesn't state anything that user agents must add correct information about their engine identity. (maybe I missed this completely)
To work through this issue both sides need to be done correctly.
User agents need to advertise correctly who they are and sites need to correctly parse and handle this information.
from client-hints-infrastructure.
Related Issues (20)
- Refresh GH Pages HOT 1
- Make it clear that UAs are not required to support every client hint ever HOT 5
- iFrame cross domain support HOT 3
- browser retries from the beginning of the multiple redirection with critical-ch HOT 4
- Usability of ACCEPT_CH frame HOT 1
- Define "high entropy" hint
- Integrate at the correct point in Fetch
- Access Client Hints can't be delegated to the document opting-in using `<meta>` tags HOT 10
- Are there any example to apply ACCEPT_CH frame on loadbalancer?
- Clarification on Accept-CH Lifetime HOT 10
- Consider a new class of low-entropy CHs that a subresource can request HOT 1
- RFC 8942 does not define Critical-CH
- Clarification on multiple Accept-CH headers, ACCEPT_CH and/or <meta http-equiv> tags HOT 7
- CORS preflight requests and UA-CH HOT 8
- Google Ads does not respect Critical-CH restart HOT 7
- Bug in spec, subresources don't get client hints as a result HOT 1
- Define Critical-CH Restart logic more rigorously. HOT 4
- Empty Accept-CH being used to clear Client Hint requests HOT 12
- Primary brand name for Sec-CH-UA and Sec-CH-UA-Full-Version-List HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from client-hints-infrastructure.