Primary brand name for Sec-CH-UA and Sec-CH-UA-Full-Version-List about client-hints-infrastructure HOT 6 OPEN

@nicjansma I think you are misreading the situation, especially as regards Vivaldi.

Essentially, Vivaldi will NEVER display our brand to a site we don't control or have a contractual agreement with that involves a requirement to not discriminate (as a matter of fact, it is just a few months since we removed a partner from that list because they were discriminating us).

As detailed in WICG/ua-client-hints#293 we have seen multiple cases of smaller and larger sites, including banking sites, discriminating against us based on not sending a Google Chrome or Microsoft Edge brand in the header. And we don't trust such sites to NOT discriminate if they locate an unknown brand in the header, which is why our default now is to send the Google Chrome brand, with only a couple of exceptions.

Regarding "primary", that would only be (marginally) useful if many clients start sending multiple well-known brands in the header, like developed in the original UA header. At present I don't see that happening, and I would not be surprised if the bad sites started blocking clients that send multiple well-known brands in the header.

In case multiple brands are used by some clients, my guess it that your stats engine could immediately decide that they are not Chrome or Edge (since I doubt they will start sending multiple brands), but may possible be one (or none) of the other brands in the header. And the primary field might still be lying.

You can read more about our position in my article Client Hints, or Client Lies

Bottom line: It is the "bad" sites that restrict what we can do (and what Client Hints can accomplish), not the "good" ones. And the "bad" ones are usually found on the list of sites that "MUST WORK!!"(TM), and there are at most four browsers that can make any of those behave.

from client-hints-infrastructure.

Yes, it would be nice to be accurately represented in stats.

However, in the present situation making sure our users are not discriminated against is far more important to us. That was why we removed "Vivaldi" from the UA string, and why we are not using it in the Client Hints, except for pre-approved partner domains. Theoretically, independent stats collectors could be pre-approved, but they would have to do their collection at a specific host that we can change the header for. At least one major stats collector do their analysis in JS on the visited site, not a separate server controlled by them, which means they cannot be pre-approved.

As mentioned in my comment WICG/ua-client-hints#293 (comment) , at the time when we changed to sending the Chrome Brand, we had confirmed discrimination by companies such as PNC Bank and Nextdoor, and we suspected it was also happening (but was never able to confirm) on several other sites, including Wells Fargo.

IMNSHO only major worldwide legislation with extreme fines (and enforcement) can prevent discrimination of alternative clients.

BTW, the "Not a Brand" is very easy to recognize with a simple regexp, as is the "Chromium" brand sent by Chromium-based browsers. Then it is just a question of analyzing the other brands listed, whether they are on the "approved" list, and whether there are "non-approved" brands listed, and having multiple brands might easily be considered "non-approved", unless Google Chrome and Edge does it in a significant portion of their connections to a site (and does not vary on a given site).

from client-hints-infrastructure.

The reason Vivaldi is removing their brand name from Sec-CH-UA is because some site owners are writing code like:

if (brand I don't recognise is in brand list)
    block user agent;

Even though Vivaldi is in fact fully capable of using the site. In order to use the site, Vivaldi is forced to lie and pretend to be Google Chrome.

Your proposed change would make this situation worse, as now the bad sites just have to check if the primary brand is one they allow, rather than every one in the list. Every minor browser would be forced to lie about which brand was primary in order to access these sites - and no, a boycott of those sites is not viable. Most people will switch browsers rather than switch sites.

from client-hints-infrastructure.

@Sora2455 writes:

The reason Vivaldi is removing their brand name from Sec-CH-UA is because some site owners are writing code like:

if (brand I don't recognise is in brand list)
  block user agent;

Not exactly -- if they were doing that, they would fail on the new GREASEd brands every version (e.g. Not;A Brand).

With the example shared from @YngveNPettersen in WICG/ua-client-hints#293 the logic is slightly more complex, as it's looking for a pre-approved list of brands:

function getBrowser(brands){
	const browser = brands.reduce((a, c) => c.brand.match(/Microsoft Edge|Google Chrome/) ? c : a);
	return browser;
}

i.e. looking for Microsoft Edge and Google Chrome specifically.

With the proposal of defining a ;primary brand, Vivaldi could choose to represent themselves as:

Sec-CH-UA: "[Not.A/Brand](http://not.a/Brand)";v="8", "Chromium";v="114", "Google Chrome";v="114", "Vivaldi";v="114;primary"

i.e.:

• Not.A/Brand for GREASE
• Chromium for engine compatibility
• Google Chrome for simple browser/brand compatibility
• Vivaldi as primary for marketing purposes

Your proposed change would make this situation worse, as now the bad sites just have to check if the primary brand is one they allow, rather than every one in the list

Yes, sites could use the primary denotation for evil. I would hope, given that they could inspect the brands list for engine and browser compatibility (e.g. searching for Google Chrome or even better Chromium), they would choose that rather than expecting a specific flavor of Chromium. At least this would give them the choice, and possibly stop Vivaldi from having to hide their branding.

from client-hints-infrastructure.

@YngveNPettersen writes:

Essentially, Vivaldi will NEVER display our brand to a site we don't control or have a contractual agreement with that involves a requirement to not discriminate (as a matter of fact, it is just a few months since we removed a partner from that list because they were discriminating us).

Is Vivaldi not concerned about being properly represented in marketshare usage reports? I was hoping this proposal could allow Vivaldi to be better represented for markeshare, while still advertising engine/browser/brand compatibility with e.g. Chrome.

Regardless, it will certainly help for other analytics cases.

from client-hints-infrastructure.

Yes, sites could use the primary denotation for evil. I would hope, given that they could inspect the brands list for engine and browser compatibility (e.g. searching for Google Chrome or even better Chromium), they would choose that rather than expecting a specific flavor of Chromium. At least this would give them the choice, and possibly stop Vivaldi from having to hide their branding.

But that doesn't require this ;primary feature? All your suggested fix requires is for Vivaldi to claim to be Google Chrome and Vivaldi at the same time. Adding ;primary might fool the bad sites for a while... until they change their code to always fetch the ;primary brand and then we're back to square one. Much like how the Sec-CH-UA header did in the first place - it helped until bad sites 'updated' their code to bring their bad behaviours in line with the new standard.

@YngveNPettersen can speak with more authority on this, but I assume things aren't as simple as "just claim to be Chrome and yourself".

from client-hints-infrastructure.