Comments (6)
@nicjansma I think you are misreading the situation, especially as regards Vivaldi.
Essentially, Vivaldi will NEVER display our brand to a site we don't control or have a contractual agreement with that involves a requirement to not discriminate (as a matter of fact, it is just a few months since we removed a partner from that list because they were discriminating us).
As detailed in WICG/ua-client-hints#293 we have seen multiple cases of smaller and larger sites, including banking sites, discriminating against us based on not sending a Google Chrome or Microsoft Edge brand in the header. And we don't trust such sites to NOT discriminate if they locate an unknown brand in the header, which is why our default now is to send the Google Chrome brand, with only a couple of exceptions.
Regarding "primary", that would only be (marginally) useful if many clients start sending multiple well-known brands in the header, like developed in the original UA header. At present I don't see that happening, and I would not be surprised if the bad sites started blocking clients that send multiple well-known brands in the header.
In case multiple brands are used by some clients, my guess it that your stats engine could immediately decide that they are not Chrome or Edge (since I doubt they will start sending multiple brands), but may possible be one (or none) of the other brands in the header. And the primary field might still be lying.
You can read more about our position in my article Client Hints, or Client Lies
Bottom line: It is the "bad" sites that restrict what we can do (and what Client Hints can accomplish), not the "good" ones. And the "bad" ones are usually found on the list of sites that "MUST WORK!!"(TM), and there are at most four browsers that can make any of those behave.
from client-hints-infrastructure.
Yes, it would be nice to be accurately represented in stats.
However, in the present situation making sure our users are not discriminated against is far more important to us. That was why we removed "Vivaldi" from the UA string, and why we are not using it in the Client Hints, except for pre-approved partner domains. Theoretically, independent stats collectors could be pre-approved, but they would have to do their collection at a specific host that we can change the header for. At least one major stats collector do their analysis in JS on the visited site, not a separate server controlled by them, which means they cannot be pre-approved.
As mentioned in my comment WICG/ua-client-hints#293 (comment) , at the time when we changed to sending the Chrome Brand, we had confirmed discrimination by companies such as PNC Bank and Nextdoor, and we suspected it was also happening (but was never able to confirm) on several other sites, including Wells Fargo.
IMNSHO only major worldwide legislation with extreme fines (and enforcement) can prevent discrimination of alternative clients.
BTW, the "Not a Brand" is very easy to recognize with a simple regexp, as is the "Chromium" brand sent by Chromium-based browsers. Then it is just a question of analyzing the other brands listed, whether they are on the "approved" list, and whether there are "non-approved" brands listed, and having multiple brands might easily be considered "non-approved", unless Google Chrome and Edge does it in a significant portion of their connections to a site (and does not vary on a given site).
from client-hints-infrastructure.
The reason Vivaldi is removing their brand name from Sec-CH-UA is because some site owners are writing code like:
if (brand I don't recognise is in brand list)
block user agent;
Even though Vivaldi is in fact fully capable of using the site. In order to use the site, Vivaldi is forced to lie and pretend to be Google Chrome.
Your proposed change would make this situation worse, as now the bad sites just have to check if the primary brand is one they allow, rather than every one in the list. Every minor browser would be forced to lie about which brand was primary in order to access these sites - and no, a boycott of those sites is not viable. Most people will switch browsers rather than switch sites.
from client-hints-infrastructure.
@Sora2455 writes:
The reason Vivaldi is removing their brand name from Sec-CH-UA is because some site owners are writing code like:
if (brand I don't recognise is in brand list) block user agent;
Not exactly -- if they were doing that, they would fail on the new GREASEd brands every version (e.g. Not;A Brand
).
With the example shared from @YngveNPettersen in WICG/ua-client-hints#293 the logic is slightly more complex, as it's looking for a pre-approved list of brands:
function getBrowser(brands){
const browser = brands.reduce((a, c) => c.brand.match(/Microsoft Edge|Google Chrome/) ? c : a);
return browser;
}
i.e. looking for Microsoft Edge
and Google Chrome
specifically.
With the proposal of defining a ;primary
brand, Vivaldi could choose to represent themselves as:
Sec-CH-UA: "[Not.A/Brand](http://not.a/Brand)";v="8", "Chromium";v="114", "Google Chrome";v="114", "Vivaldi";v="114;primary"
i.e.:
Not.A/Brand
for GREASEChromium
for engine compatibilityGoogle Chrome
for simple browser/brand compatibilityVivaldi
asprimary
for marketing purposes
Your proposed change would make this situation worse, as now the bad sites just have to check if the primary brand is one they allow, rather than every one in the list
Yes, sites could use the primary
denotation for evil. I would hope, given that they could inspect the brands list for engine and browser compatibility (e.g. searching for Google Chrome
or even better Chromium
), they would choose that rather than expecting a specific flavor of Chromium. At least this would give them the choice, and possibly stop Vivaldi from having to hide their branding.
from client-hints-infrastructure.
@YngveNPettersen writes:
Essentially, Vivaldi will NEVER display our brand to a site we don't control or have a contractual agreement with that involves a requirement to not discriminate (as a matter of fact, it is just a few months since we removed a partner from that list because they were discriminating us).
Is Vivaldi not concerned about being properly represented in marketshare usage reports? I was hoping this proposal could allow Vivaldi to be better represented for markeshare, while still advertising engine/browser/brand compatibility with e.g. Chrome.
Regardless, it will certainly help for other analytics cases.
from client-hints-infrastructure.
Yes, sites could use the primary denotation for evil. I would hope, given that they could inspect the brands list for engine and browser compatibility (e.g. searching for Google Chrome or even better Chromium), they would choose that rather than expecting a specific flavor of Chromium. At least this would give them the choice, and possibly stop Vivaldi from having to hide their branding.
But that doesn't require this ;primary
feature? All your suggested fix requires is for Vivaldi to claim to be Google Chrome and Vivaldi at the same time. Adding ;primary
might fool the bad sites for a while... until they change their code to always fetch the ;primary
brand and then we're back to square one. Much like how the Sec-CH-UA
header did in the first place - it helped until bad sites 'updated' their code to bring their bad behaviours in line with the new standard.
@YngveNPettersen can speak with more authority on this, but I assume things aren't as simple as "just claim to be Chrome and yourself".
from client-hints-infrastructure.
Related Issues (20)
- Make it clear that UAs are not required to support every client hint ever HOT 5
- iFrame cross domain support HOT 3
- browser retries from the beginning of the multiple redirection with critical-ch HOT 4
- Define "brand" and "full version" for CH-UA HOT 3
- Usability of ACCEPT_CH frame HOT 1
- Define "high entropy" hint
- Integrate at the correct point in Fetch
- Access Client Hints can't be delegated to the document opting-in using `<meta>` tags HOT 10
- Are there any example to apply ACCEPT_CH frame on loadbalancer?
- Clarification on Accept-CH Lifetime HOT 10
- Consider a new class of low-entropy CHs that a subresource can request HOT 1
- RFC 8942 does not define Critical-CH
- Clarification on multiple Accept-CH headers, ACCEPT_CH and/or <meta http-equiv> tags HOT 7
- CORS preflight requests and UA-CH HOT 8
- Google Ads does not respect Critical-CH restart HOT 7
- Bug in spec, subresources don't get client hints as a result HOT 1
- Define Critical-CH Restart logic more rigorously. HOT 4
- Empty Accept-CH being used to clear Client Hint requests HOT 12
- Is Delegate-CH a pragma or not? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from client-hints-infrastructure.