• jchw 477 days ago
    I wish people would stop trying to force inject cynicism into this because this is actually pretty amazing of an idea imo. If you look at browsers like Falkon or QuteBrowser they are perfectly serviceable browsers but actually using them can be annoying due to UA sniffing, even by Google. In theory this is the solution to that problem. Freezing and unifying the UA will prevent everyone, including Google, from using it to gate features.

    I am a bit worried, though, about how we will continue to count marketshare. If the intent were to remove the UA it would be worse, but it does seem like browser marketshare analytics based on user agents may be coming to an end.

    (Disclosure: I work for Google on unrelated projects.)

    • Lx1oG-AWb6h_ZG0 477 days ago
      Meanwhile, Google is forcing this massive change across the web right now by defaulting cookies to SameSite=Lax, something that breaks a lot of login scenarios. The only way to fix it is to start emitting SameSite=None. BUT WAIT, a lot of fairly recent browsers (e.g., iOS < 13, Chrome 51-66) don't support it, so you actually need to do this crazy user agent sniffing to not break things: https://www.chromium.org/updates/same-site/incompatible-clie....

      I find it ridiculous that one part of Chrome is forcing me to add user agent sniffing while another part is trying to deprecate it. They need to get their act together: their decisions have massive consequences across the ecosystem and they need to be more responsible.

      • StavrosK 477 days ago
        I've seen this complaint a lot, and to me it amounts to saying "this default is wildly insecure but is used by a tiny fraction of sites, so I'd rather keep the insecure default rather than ask those sites to add a single header".

        Perhaps you can correct me on why that's not so.

        • thayne 477 days ago
          The problem isn't that they need to add a header. The problem is that they need to add the header _or not_ depending on which browser is making the request. Which means you have to sniff the user agent, even though pretty much everyone agrees browser agent sniffing causes problems, and the same browser that is pushing this change is also trying to get rid of the only way to know if that header should be set or not.

          And I think the chrome team could have come up with a solution that didn't involve browser sniffing, such as sending a header in the request identifying that SameSite=Lax is the defualt, or that SameSite=None is accepted. But instead they recommended sniffing the user-agent string.

          • StavrosK 477 days ago
            I don't understand why you sometimes need to not send the header. What happens if you do, in those cases?
            • yuliyp 477 days ago
              https://bugs.webkit.org/show_bug.cgi?id=198181 . If you tell Safari SameSite=None it treats it as SameSite=Strict. If you tell Chrome a couple months from now without SameSite=None, you get SameSite=Lax. There's no way to do this without UA sniffing.
              • StavrosK 477 days ago
                That seems like a pretty egregious bug, presumably there's a spec someone is in violation of?
                • yuliyp 477 days ago
                  The blame lies somewhere between Safari and Chrome. The "None" value was added after the Safari implementation, and then Chrome wants to do the default-changing this year now. Unfortunately it looks like the fix isn't going to get backported to iOS 12, so here we are :-(
                  • Jweb_Guru 477 days ago
                    The point is that UA sniffing provides a last resort way of dealing with bugs in browsers until they are properly fixed (if ever). Imperfect as UA sniffing is, it's a lot better than having literally no way to identify and fix an issue people are having.
                    • heavenlyblue 476 days ago
                      The question here is whether the browser is a tool to solve your business issues, or whether it is a a service that is more similar to police, firefighters or healthcare. I am way more biased towards the second.
                    • IX-103 477 days ago
                      Safari was not following the spec.
                      • thayne 477 days ago
                        Depends on whuch spec you mean. Older versions of safari (anf chrome) were following the original proposed standard (rfc 6265), which said invalid values should be treated as strict. Later versions of Chrome are following a later internet-draft (rfc 6265bis, which I think was proposed by google), that introduced SameSite=none, and changed the behavior for unknown values to be the same as none.
                  • will4274 477 days ago
                    If you send SameSite=None, Chrome 51 through 66 ignore the Set-Cookie header. Chrome 80 requires SameSite=None for cross domain POSTs (e.g. authentication). Google is recommending removing the User-Agent header while Google websites use User Agent detection to workaround bugs in Google User Agents. See https://www.chromium.org/updates/same-site/incompatible-clie... for details of other incompatible User Agents.
                • bryanrasmussen 477 days ago
                  Currently (unless this has change in the past couple weeks) if you add SameSite=None on Safari it will treat it as SameSite=Strict. https://bugs.webkit.org/show_bug.cgi?id=198181

                  So this means that if you need to use SameSite=None you cannot without UA sniffing, which I think is what the parent was complaining about.

                  • jes5199 477 days ago
                    because adding that single header breaks the behavior on old browsers
                • jackjeff 477 days ago
                  I have been on receiving end of browser bugs, developing cutting edge JavaScript applications.

                  It's VERY useful to be able to use the UA string to do something like:

                  if (Chrome version X) then { do this crazy workaround because Chrome is broken }

                  No. People don't even necessarily update to the latest version. The "Samsung Browser" was notorious for seemingly always be some old fork of Chrome or Chromium that would never update.

                  • pornel 477 days ago
                    That approach is fragile, because it won't stop applying the crazy workaround after Chrome version Y fixes the problem. You can't know which version it's going to be, and there's a chance you won't be maintaining that code anymore then.
                    • wvenable 477 days ago
                      But if you can't sniff the browser version, you might still have to apply the crazy work around forever because you have no way of knowing when to stop. It works both ways.
                      • dessant 477 days ago
                        The correct approach is to use feature detection. There are libraries available for it, such as Modernizr [1].

                        [1] https://modernizr.com/docs/#what-is-feature-detection

                        • wvenable 477 days ago
                          You can't always feature detect bugs. I'm not sure why this entire thread is filled "use feature detection" when it's been historically clear that it isn't sufficient.
                          • shakna 477 days ago
                            Part of the proposed deprecation of the useragent is a JS API to expose the information.
                            • Spivak 477 days ago
                              Which is silly since the information that's needed to work around version specific bugs is ($vendor, $version) so people will just end up depending on that and it will start the cycle again.

                              I appreciate the idealism of "if your standard's compliant site doesn't work in Chrome 142 then it's Google's problem" but I can't just throw up my hands and let my site be broken.

                              • shakna 477 days ago
                                > so people will just end up depending on that and it will start the cycle again.

                                The User Hints spec specifically says that user agents aren't required to provide them in all circumstances, and that they shouldn't be provided in some.

                                > User agents ought to exercise judgement before granting access to this information, and MAY impose restrictions above and beyond the secure transport and delegation requirements noted above.

                                The message from Google is clear: Whilst we understand you want to work around bugs, and this is the only way to do it, you really should be second-guessing whether you need to touch this API at all.

                              • pjmlp 477 days ago
                                Great, now my server side rendering code needs to inject JS into the customer to feedback agent capabilities.
                                • shakna 477 days ago
                                  Or check the proposed headers that will also get sent: Sec-CH-Arch, Sec-CH-Model, Sec-CH-Platform, Sec-CH-UA, Sec-CH-Mobile.
                                  • Jon_Lowtek 477 days ago
                                    Sec-CH-Mobile ? - please tell me the meaning of this is "user agent changes position, refresh positional data often" (checks the specs)

                                      user agent prefers a "mobile" user experience.
                                    the spec is a tautology using air-quotes :/
                                    • shakna 477 days ago
                                      That makes sense to me. Different websites will have different expectations of what specifics a mobile experience will need. It may just be different style sheets, or the dev will need to take into account the activity of their particular site, such as reducing background connections to preserve battery life, etc.
                                      • Jon_Lowtek 477 days ago
                                        Surprisingly i do know what >> "mobile" experience << means in this context and can therefor make sense of this, too. I am just making fun of it by pretending i am reading a technical document that is supposed to specify how to build a sane and reliable system ;-)
                                • Rebelgecko 477 days ago
                                  A JS API that tells you which bugs exist in the browser?
                                  • shakna 477 days ago
                                    > Where feature detection fails developers, UA Client Hints are the right path forward.

                                    UA Client Hints will provide: brand, major version, full version, platform brand and architecture, platform architecture, model and whether it should be treated as a mobile platform.

                                    If you were using the UserAgent to guess if the browser was a particular version with a particular bug, now you don't have to parse something and probably get it wrong.

                                    • Jon_Lowtek 477 days ago
                                      > UA Client Hints will provide: brand, major version, ...

                                      It seems you are using "Mozilla 5.0". Your browser is really out of date!

                                      Please consider updating to rand("Googlebot/2.1", "Version/7", "XUL/97", "HTML/5").

                                      • shakna 477 days ago
                                        There's no guarantee the user's browser will just hand over that information with the new spec:

                                        > User agents ought to exercise judgement before granting access to this information, and MAY impose restrictions above and beyond the secure transport and delegation requirements noted above.

                                • kerkeslager 477 days ago
                                  You can't always detect browser version, either.

                                  Hard problems are hard, but my experience, and the recommended approach by browser implementers, is that feature detection works better.

                                • pixelbash 477 days ago
                                  The fundamental issue with this is it tells you about what's there when what you need to know is what's broken (not even necessarily what's missing).
                                  • Lx1oG-AWb6h_ZG0 477 days ago
                                    But this is only accessible on the client side, what about all the other backcompat code on the server side (like the SameSite issue mentioned elsewhere in the thread?) Or server-side rendering? Are we not supposed to care about progressive enhancement anymore?
                                    • Kiro 477 days ago
                                      I build HTML5 games and I need to use very specific hacks for certain browsers, e.g. use a different offscreen canvas implementation for Safari due to performance. I can't use feature detection since it's not about a missing feature.
                                      • clopez 477 days ago
                                        You can benchmark the alternatives for 2 seconds and choose the faster. Call it: performance detection
                                      • microtherion 477 days ago
                                        For that to work, browsers would also have to accurately advertise their own bugs/quirks, which might be a difficult ask.
                                        • ebiester 477 days ago
                                          Wouldn't those quirks be sufficient to fingerprint in the same way?
                                          • microtherion 477 days ago
                                            What if the DOM looks perfectly normal, but doesn't render correctly?
                                  • henryfjordan 477 days ago
                                    In the short-term this might be annoying, but in the longer term this is going to force browsers to adhere more closely to standards. When sites are less able to write different code for different browsers, the onus to fix inconsistencies will transfer from site-maintainers to browser-maintainers.

                                    In 5 years you might look back and realize you no longer write browser-specific code any more.

                                    • jedberg 477 days ago
                                      > In 5 years you might look back and realize you no longer write browser-specific code any more.

                                      We said the same thing when IE started losing market share a decade ago.

                                      The problem is, everyone who makes a browser thinks they have the best ideas in the world, and then impliment them, but their users never blame the browser.

                                      If someone is trying to access your site and it breaks, do you really think they're going to say, "dang, I should really tell Chrome to fix their incompatibility".

                                      No, they will always assume the error lies with the site owner.

                                      • bhk 477 days ago
                                        In such a world, it is not standards that win. It is the predominant browser that wins.

                                        Are you old enough to remember the "best viewed with Netscape" badges that were everywhere in the 90s?

                                        • necovek 477 days ago
                                          Haha, brings back the old days. I had my sites plastered with "best viewed with your eyes" badges, but that never took hold :)
                                        • pjmlp 477 days ago
                                          I have been involved with Web development in some form since late 90's, nice utopia that will never happen.

                                          Unless in 5 years we have only Chrome left, then surely.

                                        • AdamTReineke 477 days ago
                                          +1. The number of rendering invalidation bugs I had to work around in mobile Safari is crazy.

                                          `if(affectedBrowserUA) { elem.style.transform = 'translate3d(0,0,0); elem.style.transform = ''; }`

                                          Edit: I guess you can achieve the same thing through UA client hints. Just need to add a new JS file that reads the request headers and maps them into JS globals.

                                          • tbodt 477 days ago
                                            There's a proposed API for JavaScript to get the same information.
                                            • AdamTReineke 477 days ago
                                              Oh, yup, I see that now. That was the next point after the headers one in the spec.
                                          • kerkeslager 477 days ago
                                            I'd argue that if you're doing this you can't have tested your JavaScript on many platforms. This breaks very quickly in my experience. Feature detection[1] is a much better strategy. That can get complicated too, but often there are third-party polyfills that can do that for you.

                                            [1] https://developer.mozilla.org/en-US/docs/Learn/Tools_and_tes...

                                          • cpeterso 477 days ago
                                            Google can start by phasing out UA sniffing on their own websites, such Google Stadia blocking Microsoft's Chromium Edge users:


                                            • shadowgovt 477 days ago
                                              Does this change allow for the server to refrain from having to do RPCs to the browser to get additional feature information to figure out what quirks the vended page / JS needs to be compatible with?

                                              I'm all for more privacy, but IIUC the main reason big sites like Google still do any UA sniffing at all is to minimize the latency / byte cost for the client in vending a web site that is expected to work.

                                              • jchw 477 days ago
                                                IMO: Old browsers will still send UAs, since obviously they’re not going to update for this change. New browsers should support enough of the web platform to obsolete this practice going forward.
                                                • Zarel 477 days ago
                                                  New browsers still don't support everything. One of my biggest questions: "Does this device have a keyboard?" (relevant for "should I show hints for keyboard shortcuts?") is still straight-up unanswerable, and all I can do is guess from the UA.

                                                  Other questions include "should I tell the user to drag-and-drop?" "should I tell the user to tap?" etc.

                                                  • JoshTriplett 477 days ago
                                                    > One of my biggest questions: "Does this device have a keyboard?" (relevant for "should I show hints for keyboard shortcuts?") is still straight-up unanswerable, and all I can do is guess from the UA.

                                                    Mobile devices have keyboards. If you mean "does this device have a physical keyboard", you don't need to know that. If you mean "does this device have modifier keys like ctrl and alt", someone might have hooked up a bluetooth or USB keyboard to their mobile device.

                                                    If you're on a large screen, show hints if you have room. (You might also show such hints in tooltips, as devices with a concept of "hover" correlate well with devices where keyboard shortcuts make sense.) If you're on a small screen, provide a way for people to get those hints anyway via a help option.

                                                    > Other questions include "should I tell the user to drag-and-drop?" "should I tell the user to tap?" etc.

                                                    19-year-old advice that remains useful: https://www.w3.org/QA/Tips/noClickHere

                                                    You can't tell from the user-agent if, for instance, someone might be using a screen-reader or other assistive technology, or otherwise using an interface you don't expect. Tell people what option/link to use, not how to activate it. Help them out with things like highlights, or tours, or sample videos.

                                                    • akersten 477 days ago
                                                      > If you mean "does this device have modifier keys like ctrl and alt", someone might have hooked up a bluetooth or USB keyboard to their mobile device.

                                                      I'll take the liberty to say yes, that is what they mean, and that is their point: there is no way to detect whether those keys are available, so the best we can do is guess.

                                                      And yes, I might actually need to know whether there is a physical keyboard or not. For example, do I auto-focus the input field? For devices with OSKs, the keyboard will pop up right away and obscure most of the site on mobile. For devices where the OSK won't pop up, I want the focus to land there immediately for usability.

                                                      • robocat 477 days ago
                                                        Agree. Also with a physical keyboard (PC) you can filter keypress events in an <input>, but with a virtual keyboard (Android) you cannot (keycode is always 0 due to IME).

                                                        A time entry input is a good example: on the PC you can accept valid [0123456789:.APMapm] characters as the user types, and have the HTML page do something sensible and show something sensible. On Android you either have an ugly time picker (they are all ugly!) or use hideous workarounds to try and detect keypresses.

                                                        Android and iOS have `inputmode=` but it is very restricted and there are wierd and sometimes incompatible differences between browsers or browser versions or OS versions. Custom data entry (e.g. time, date ranges, etc) is super ugly in HTML.

                                                        I have found many browser version and device specific bugs with virtual keyboards or PC keyboard entry that cannot be "feature detected" (browser version must be sniffed).

                                                        • anoncake 477 days ago
                                                          Please stop trying to do the browser developers' job. If focusing the input field opens the keyboard, that's the correct behavior, whether you agree with it or not.
                                                        • shadowgovt 477 days ago
                                                          > 19-year-old advice that remains useful: https://www.w3.org/QA/Tips/noClickHere

                                                          Ah, my favorite aspect of the w3c process: responding to the need for perfectly reasonable UX discoverability for users unaccustomed to using browsers with "You don't actually want to do that."

                                                          There's a reason so much of the web development world considers the documents they make to be "take with a grain of salt and do what works for your users."

                                                          • Zarel 477 days ago
                                                            I'm moderately annoyed you think I don't already know all these things.

                                                            The problem isn't that I don't know these things, it's that I'm beyond those things and trying to add subtle things to improve quality of life.

                                                            > Mobile devices have keyboards. If you mean "does this device have a physical keyboard", you don't need to know that. If you mean "does this device have modifier keys like ctrl and alt", someone might have hooked up a bluetooth or USB keyboard to their mobile device.

                                                            Yes, and this makes the experience on mobile devices worse!

                                                            On a laptop, if you open Discord, click on your friend's name, and start typing, you'll send your friend a message.

                                                            On an iPad with a keyboard, if you open Discord, click on (tap) your friend's name, and start typing, nothing will happen.

                                                            You say "there's no way to detect an iPad with a keyboard" like it's a good thing, but it's clearly a bad thing!

                                                            I go over a similar problem here: https://news.ycombinator.com/item?id=22047246

                                                            > If you're on a large screen, show hints if you have room. (You might also show such hints in tooltips, as devices with a concept of "hover" correlate well with devices where keyboard shortcuts make sense.) If you're on a small screen, provide a way for people to get those hints anyway via a help option.

                                                            This is clearly a worse experience for the user because it means hints are shown to users for whom they make no sense.

                                                            Like, yes, that's what I currently do, and it sucks.

                                                            > You can't tell from the user-agent if, for instance, someone might be using a screen-reader or other assistive technology, or otherwise using an interface you don't expect. Tell people what option/link to use, not how to activate it. Help them out with things like highlights, or tours, or sample videos.

                                                            There aren't ways to detect if someone is using a screen-reader, but there are plenty of W3C ARIA tags screen-readers understand, which, if used correctly, can improve quality of life for them. I get a lot of feedback from screen-reader users that they love my graphical online video game, because I went out of my way to improve quality-of-life for them.

                                                            And now, I want to improve quality-of-life for users on iPads, and you tell me "no! everything must be the same on everything!" No! I refuse to accept that!

                                                            GitHub has a hint in their comment boxes that you can attach files by drag/drop or pasting. That's the sort of thing I'm talking about. It's miles away from a button labeled "click here". There's no need for this smarmy "don't tell the user how to activate a feature". Some features are subtle and need hints!

                                                            • JoshTriplett 477 days ago
                                                              > I'm moderately annoyed you think I don't already know all these things.

                                                              I was not suggesting you didn't, but more than one person will read this conversation.

                                                              > This is clearly a worse experience for the user because it means hints are shown to users for whom they make no sense.

                                                              Or to users for whom you don't know that they do make sense. If you guess incorrectly that a device doesn't have a keyboard when it does, you'll prevent users from discovering your keyboard shortcuts.

                                                              I would also suggest that web standards need to improve, to make it easier to help figure out which hints to offer. For instance, I think it would be perfectly reasonable to offer a mechanism to detect "should I show hints for keyboard shortcuts", which desktop browsers would always enable, and mobile devices would enable if they have an attached keyboard or if the user is using another mechanism that might allow for shortcuts. And one day, perhaps we'll have a standard for keyboard shortcuts that will allow users to remap those shortcuts and allow the browser to provide "native" hints that those shortcuts exist.

                                                              I'm not trying to suggest that the current state is ideal, or that it can't be improved. I'm suggesting that user-agent-based detection is in some ways worse.

                                                              > no! everything must be the same on everything

                                                              That's not what I said. I'm suggesting that everything should be accessible on every platform. You might well make adaptations and hints based on screen size, or based on whether the user has previously typed keys directly at something other than a text box; just don't make assumptions the user can't work around or change if you've detected them incorrectly. I've dealt with sites that force the use of mobile if they catch the slightest whiff of "this might be a mobile device", and the mobile experience is far less capable. (That's leaving aside the anti-pattern of "are you sure you want to use a web browser instead of our app?".)

                                                              Personally, I would suggest detecting if someone "types at" the page without being in an input box, and offering to not only focus the input box but set a device-local preference to automatically do so in the future.

                                                              • Uehreka 477 days ago
                                                                I think the thrust of GPs argument is "Before they take away the UA string (the one clumsy tool that I can use to half-accomplish my goals) I wish they'd add official APIs to detect these kinds of things".
                                                          • jchw 477 days ago
                                                            Ideally, imo, most sites should use the web platform as intended and their sites will work fine regardless of input device.

                                                            If you are using UA sniffing to determine if the device has a keyboard it will be wrong a lot of the time; you can’t tell if a Microsoft Surface has the keyboard attached or an iPad doesn't. you’d probably be no worse off trying to detect it by screen width, which is already a defacto way to detect mobile devices anyways, for better or worse.

                                                            (The right solution is probably a new kind of API or media query.)

                                                            • Zarel 477 days ago
                                                              I know, that's why I said "unanswerable" and "all I can do is guess".

                                                              The specific feature this came up recently is whether or not a chat app should autofocus the input box. Ideally, the answer is "yes" if you have a keyboard (lets you start sending messages faster) and "no" if you don't (the on-screen keyboard would cover up the conversation and be distracting).

                                                              There's, of course, no way to detect an iPad keyboard, so currently iPads miss out on autofocus.

                                                              Discord, incidentally, uses an alternate solution: "don't autofocus the textbox, but instead detect keypresses outside the textbox and manually insert the corresponding letters in the box". This, of course, completely fails for various non-Latin keyboards, such as Japanese: if you type "chi", it will insert 「cひ」 instead of 「ち」.

                                                            • mikewhy 477 days ago
                                                              > should I tell the user to tap

                                                              I always use the term "tap". MacBook / Magic trackpads literally have an option called "tap to click".

                                                              > should I tell the user to drag-and-drop

                                                              Both mobile and desktop support drag and drop, so not sure why you'd want to disable it for either.

                                                              • true_religion 477 days ago
                                                                Mobile browsers are space constrained so although you can drag and drop, practically speaking if your drop target is off screen, it’s a poor user experience.
                                                              • phkahler 477 days ago
                                                                >> Other questions include "should I tell the user to drag-and-drop?" "should I tell the user to tap?" etc

                                                                Why are you doing all that? Just offer the desktop version or Mobil version and be done with it. You dont need to figure out dev_caps in such detail.

                                                                • Zarel 477 days ago
                                                                  Because I still believe in the ideals of responsive web design. If a desktop user wants to use my site in a tiny window (maybe to tile it next to another window), they should still be able to use keyboard shortcuts. And if a user with a large screen wants to use touch interaction (maybe they have a Surface Studio), they should be able to.

                                                                  There's no reason to make multiple sites each with their own flaws, when you can just make one site that can do anything.

                                                          • Supermancho 477 days ago
                                                            > if the intent were to remove the UA it would be worse

                                                            That is hopefully the end goal. It's not worse, it's an ideal that goes hand in hand with reducing cookie usage, removing flash, mandating SSL, etc. The UA was an attempt to see if the ecosystem could cooperate to make apps more actively intelligent. This is a failed experiment. Security teaches us to reduce attack surface and we should not be using half-measures like a header-string to trigger naive/implicit client behavior. Behaviors should be explicit for safety.

                                                            • owenmarshall 477 days ago
                                                              It's a great technical decision that may hopefully drive sites towards web standards, but technical decisions don't exist in a vacuum and can't be analyzed in them.

                                                              The world's biggest advertisement provider's browser arm isn't going to turn off a source of fingerprinting data unless they simply don't need it anymore. It's far more likely that Google is pulling the ladder up behind them: they can identify users without that fingerprinting data, so it's beneficial to deny it to their competitors.

                                                              This can be simultaneously a great technical decision and a decision that entrenches Google.

                                                              • kerkeslager 477 days ago
                                                                > I am a bit worried, though, about how we will continue to count marketshare. If the intent were to remove the UA it would be worse, but it does seem like browser marketshare analytics based on user agents may be coming to an end.

                                                                I think there's an implicit assumption a lot of people (not you) are making: that there's no cost in collecting data. There is: often you change things by observing them, and that's not always a good thing.

                                                                There are big costs to UA strings.

                                                                • pilif 477 days ago
                                                                  > In theory this is the solution to that problem

                                                                  How so? There is still an API to ask for more details, so you can continue to do exactly the same thing as before at the cost of a few additional API calls

                                                                  What am I not seeing? To me this feels like just adding more complexity to still end up at the same spot we are now.

                                                                  • bryanrasmussen 477 days ago
                                                                    as I observed in the previous thread on this subject you will still be able to gate features, just you won't use the UA to do it. It might also be that being able to detect exactly what browser someone is using will become a much harder undertaking, requiring significant investment of developer hours, that only some companies will have the resources to invest.
                                                                  • ChrisSD 478 days ago
                                                                    > On top of those privacy issues, User-Agent sniffing is an abundant source of compatibility issues, in particular for minority browsers, resulting in browsers lying about themselves (generally or to specific sites), and sites (including Google properties) being broken in some browsers for no good reason.

                                                                    > The above abuse makes it desirable to freeze the UA string and replace it with a better mechanism.

                                                                    UA sniffing should have died out a long time ago. It's frustrating that it's 2020 and I'm still having my browsing experience broken for no other reason than the site doesn't like my UA.

                                                                    • sebazzz 477 days ago
                                                                      User agent sniffing is still sometimes required. Take the SameSite bugs that Safari had. On the server you needed to act on that based on User Agent sniffing.
                                                                      • xfalcox 477 days ago
                                                                        > SameSite bugs that Safari had

                                                                        Safari has SameSite bugs and it's infuriating that after years they don't even update the bug reports, let alone fix those.


                                                                        • vdnkh 477 days ago
                                                                          Agreed. For media streaming UA sniffing is required because of quirks each browser has in decoding media. Safari has a few quirks about the MP4 packaging it likes via MediaSourceExtensions. Firefox's network stack includes a delay not related to the actual request because of its implementation[0] which makes timing of small downloads very inaccurate. None of these differences are discernible except by UA.

                                                                          [1] I believe FF includes in the download length the time a request spends sitting in the request queue, but I can't exactly remember.

                                                                          • anoncake 477 days ago
                                                                            Browsers have those quirks because web designers work around and hide them.
                                                                          • Macha 477 days ago
                                                                            I also remember a CSS bug Safari 4 or 5 had with tables and touch scrollbars that we had to resort to UA detection for - it's not always possible to feature detect bugs.
                                                                            • nmadden 477 days ago
                                                                              Right, and it’s not just Safari. This is the current complexity of User-Agent sniffing that the SameSite change requires if you need to disable it:


                                                                              • jerf 477 days ago
                                                                                I think it's distinctly possible that the current status quo may cause an overreaction. Feature detection is good. But we may also need the ability to do specific version checking sometimes.

                                                                                What I think would be best is two things: A feature advertising string (preferably with some versioning in itself), and a new User Agent string that is just that: The user agent. As in, "This is Firefox 72.2.813". Maybe the OS in there too. I think a non-trivial part of the problem with the UA today is "Hey... I'm Firefox. Also, I'm Mozilla. Also, I'm edge 3, and Internet Explorer 6, and today I think I'm also Chrome. Also, I may be a monkey with a banana plugged in to an ethernet cable." Part of the problem is that people abuse the user agent, but part of the problem is that the user agent string is also a pack of outright, outrageous, self-contradictory lies. A truthful field may still have significant utility.

                                                                                One of the things I've learned over the years in software engineering is that you should do you best to make sure that your system doesn't contain lies, or, failing that, treat them like any other issues that you should contain at the edges rather than letting it run riot through your system. For instance, if you decide to let customers have 10GB of bandwidth free before you start charging them, you should never accomplish that goal by tweaking the bandwidth counting system to report 7.5GB of usage as 0GB. That is a lie. Tell the truth about the usage and let the billing system apply the discount, which is itself a truth as well. You always pay for lies in the system in the long run. It is a very common pattern in coding as well where some function author figures out how to assemble the correct lie to some other function to make it do what the author things they want, but in the long run you're better off telling the truth and fixing the code to work with the truth. Otherwise, well, you really do end up with a tangled web of code. Which is... exactly what we've gotten with UA-detection-based code. We won't necessarily get the same mess if there's a new UA that isn't a lie.

                                                                                I'm not claiming this will lead to utopia. Minority forks of popular browsers will fail to pick up the necessary ad-hoc bug fixes this way, for instance. My claim is more like in the long run, the best thing for everybody is just to have a user agent that tells the truth, even if on occasion in the short term you experience occasional problems.

                                                                                (One way to at least partially achieve this is to standardize the new truthful agent string to something like (\w+) ((\d+.)+\d) (\w+), and specify it as "non-conforming true user agent strings MUST be entirely rejected and treated as being absent", so anyone who tries to be Firefox and Chrome and also a monkey ends up being nobody in particular.)

                                                                                • ChrisSD 477 days ago
                                                                                  But that's what this proposal is about. Instead of using the user agent string (which lies and needs to be parsed) you have some well specified variables to check.

                                                                                  Also I think you're missing why the user agent lies now. It wasn't done on a lark. It's because it's been abused so much by web devs. Both by sloppy regular expressions and deliberately. For example, even big names like Microsoft and Google have at times used it to unnecessarily deliver poorer browsing experiences to people not using their browser.

                                                                                  Sure browsers could have stuck to their guns and been "honest" about their UA. But honesty is no comfort to users of the browser when they find websites break for no reason. The average user is more likely to blame the browser than the website.

                                                                                  • jerf 477 days ago
                                                                                    I am completely aware of why the user agent lies now. Didn't I explain exactly how it is broken in my post? I was basically there for when it broke; I remember when IE came out claiming to be "Mozilla" because otherwise a surprising number of sites wouldn't serve them the latest whizbang Netscape 3 HTML. (I thought it was a bad idea then, but with much less understanding of why.) This is why I kept calling what I'm asking for a new field; the User Agent itself can't be rehabilitated.

                                                                                    The parent of my post is correct; in practice we're still going to need the occasional ability to shim in browser-specific fixes, because even if the browsers do their best, they're going to inadvertently lie in the future and claim to support WebVR1.0 in Firefox 92, but, whoops, actually it crashes the entire browser if you try to do anything serious in it. Or, whoops, Firefox 92 does do a pretty decent job of WebVR1.0 but I need some attribute they overlooked. Or any number of similar little fixups. We know from experience from the field in the real world that we're talking about crashing bugs here at times; this is real thing that has happened. Whatever proposal gets implemented should deal with this case too.

                                                                                    If we standardized on the format like I suggested at the end of my post, it would go a long ways towards preventing future browsers from mucking up the field. If you just get "$BROWSER $VERSION $OS" in a rigid specification, and if the major browsers are sure to conform to that, and the major frameworks enforce it, it'll be enough to prevent it from becoming a problem in the future. It won't stop Joe Bob's Bait Shack & Cloud Services from giving their client a custom browser and/or server that abuses it, but there's no stopping them from doing things like that no matter what you do, so shrug.

                                                                                    • ChrisSD 477 days ago
                                                                                      Then I'm not sure I understand you. The proposal is clearly proposing new fields that are less susceptible to abuse (whether intentional or not). Your idea of parsing a "$BROWSER $VERSION $OS" string seems inferior to client hints that use structured headers.
                                                                                      • jerf 477 days ago
                                                                                        I'm saying we still need a browser version field, in addition to a feature field. Features would do on their own, if they were perfect, but we shouldn't plan on them always being perfect. We have a demonstrated, in-the-field history of browsers claiming to support features when in fact they don't quite support them, and can even have crashing bugs. In the real world, supporting WebVR1.0 is more than just putting "web-vr/1.0.0" in the feature string.

                                                                                        Culturally, you should prefer to use feature detection. Most developers would never need to use anything else. But when Amazon makes its new whizbang WebVR1.0 front-end in 2024, they may need the ability to blacklist a particular browser. Lacking that ability may actually prevent them from being able to ship, if shipping will result in some non-trivial fraction of the browsers claiming "web-vr/1.0.0" will in fact crash, and they have nothing they can do about it.

                                                                                        Besides... they will find a way to blacklist the browser. Honestly "prevent anyone from ever knowing what version of the browser is accessing your site" is not something you can accomplish. If you don't give them some type of user agent in the header, it doesn't mean the Amazon engineers are just going to throw their hands up and fail to ship. They will do something even more inadvisable than user agent sniffing, because you "cleverly" backed them into a corner. If necessary, they will examine the order of headers, details of the TLS negotiation, all sorts of things. See "server fingerprinting" in the security area. You can't really stop it. Might as well just give it to them as a header. But this time, a clean, specified, strict one based on decades of experience, instead of the bashed-together mess that is User-Agent.

                                                                                        Or, to put it really shortly, the fact that a bashed-together User-Agent header has been a disaster is not sufficient proof that the entire idea of sending a User Agent is fundamentally flawed. You can't separate from the current facts whether the problem is that User Agent sniffing is always 100% guarantee totally black&white no shades of grey mega-bad, or if it's the bashed-together nature of the field that is the problem.

                                                                                • JohnFen 477 days ago
                                                                                  Working around browser bugs only helps to ensure that those bugs will never get fixed. Better that things like the UA are removed to make that impossible. In that world, sites would be best served be coding to the standard and putting the work of fixing incompatibilities/bugs back onto the browser makers where it belongs.
                                                                                • DJBunnies 478 days ago
                                                                                  I have some news for you about what year it is.
                                                                                  • ChrisSD 478 days ago
                                                                                    Thanks, I've edited.
                                                                                    • cmsd2 478 days ago
                                                                                      i predict this comment will age badly.
                                                                                  • dTal 477 days ago
                                                                                    Of course, when the User Agent sniffing messes up, you're perfectly free to change it, and see what else you can get the server to send you. Can you still do that with whatever crazy "feature detection" replaces it?
                                                                                    • gsich 478 days ago
                                                                                      Don't use $current_year argumentation.
                                                                                      • wruza 477 days ago
                                                                                        It is a subjective version of “too long not fixed”. Like gp remembers this exact problem in 1980/1990/2000 and still there it is. A specific year has nothing to do with it.

                                                                                        So come on, it’s 2020 and we still have to explain idioms to each other :)

                                                                                        • interfixus 477 days ago
                                                                                          Don't don't.
                                                                                      • buu700 477 days ago
                                                                                        There are many, many cases where UA sniffing is correct and required. Browsers are buggy, complicated pieces of software that don't always behave 100% as specified or expected.

                                                                                        Feature detection is well and good, and should be the first line of attack; but sometimes you need to account for things like certain versions of Safari having WebRTC "support" that's actually completely broken, certain versions of Chrome crashing when certain WebAssembly features are used, and Firefox-specific CSS bugs. (All real examples I've run into.)

                                                                                        It may not be the worst thing in the world if UA sniffing is broken for all existing web properties though, since anything not well maintained enough to migrate to a new API is probably either working off of outdated information or abusing UA sniffing where feature detection would have been more appropriate anyway.

                                                                                        That being said, requiring a server to use User Agent Client Hints is stupid. What are client-side libraries like webrtc-adapter (https://github.com/webrtcHacks/adapter/issues/1017) supposed to do? I don't see any goals listed that wouldn't be addressed equally well while providing an equivalent JS API.

                                                                                        • crazygringo 477 days ago
                                                                                          > There are many, many cases where UA sniffing is correct and required.

                                                                                          This times a million.

                                                                                          Browsers have tons of bugs/inconsistencies where knowing the browser+version is the only way to work around them. Even when browsers fix them, you need to keep the workarounds for people still on the older versions.

                                                                                          When I wrote a library that used the audio API, I couldn't believe the number of browser+version-specific workarounds I had to code for.

                                                                                          And it's not just "bugs" but things where the spec is unclear. I don't remember the exact specifics, but it was a lot of stuff like "if I send a pause command, will a stop event fire afterwards or a pause event or no event at all?" There were a lot of situations where there was zero overlap between browsers. Literally no choice but to use user agent sniffing.

                                                                                          • xtracto 477 days ago
                                                                                            Just a couple of weeks ago we had a customer complain that their customers were having problems using our technology in IE11 because it was too slow...

                                                                                            We had to recur to identifying IE11 to write workarounds so that it works there...

                                                                                            • darekkay 475 days ago
                                                                                              Did you really require UA sniffing, though? There are other methods for detecting IE11, both for JS and CSS.
                                                                                            • tbodt 477 days ago
                                                                                              There is an equivalent JS API proposed.
                                                                                            • tsegratis 478 days ago
                                                                                              I'd still like a way to feature detect, rather than make a round-trip to the browser. This would let me embed webasm rather than js+branch to begin a second download if feature found... etc

                                                                                              I suggest UA string be a bitmask of features. Then feature detection should stop being broken

                                                                                              Extra bits could be used for js-on/js-off, and is-bot/is-human


                                                                                              Ah I see they're kind of doing the bitmask, but keeping a round-trip, and making things complicated (though I realize latest http standards can probably remove those round-trips in the average case)

                                                                                              I'd still suggest the bitmask for non-sensitive information, and have everything else simply js-tested as it currently is

                                                                                              Maybe is-user-blind might be a nice bit too, since canvas based websites could switch to the dom, or whatever

                                                                                              • tsegratis 477 days ago
                                                                                                Please could we also have a couple more privacy setting bits for i-accept-your-cookies and i-want-to-be-told-about-cookies-on-every-single-website-because-i-forget-what-they-are-and-really-want-to-click-through-to-your-privacy-settings

                                                                                                If we have those bits, then the user can make a set of choices once, for every site, and we get rid of cookie pop-ups

                                                                                                -- Websites could still ask if they want/need to do something that violates those choices

                                                                                                • zeven7 477 days ago
                                                                                                  Or we can just assume like reasonable adults that websites are going to put cookies in your browser and promote privacy-oriented tech to users rather than trying to pretend that having every website ask for permission in order to enable basic functionality solves anything.
                                                                                                  • pjc50 477 days ago
                                                                                                    > promote privacy-oriented tech to users

                                                                                                    Like what?

                                                                                                    > every website ask for permission in order to enable basic functionality

                                                                                                    I don't believe that purely functional cookies require GDPR permission - that's covered by "provide services to the user". It's the ones which are functionality to third parties not the user which are the problem.

                                                                                                    • zeven7 477 days ago
                                                                                                      > I don't believe that purely functional cookies require GDPR permission - that's covered by "provide services to the user". It's the ones which are functionality to third parties not the user which are the problem.

                                                                                                      Ah, I didn't realize that. Well, that does sound much more reasonable.

                                                                                                      • pjc50 477 days ago
                                                                                                        Actually the ICO page itself presents a great example: if you go to https://ico.org.uk/for-organisations/guide-to-data-protectio... you get:

                                                                                                        > Necessary cookies

                                                                                                        > Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

                                                                                                        > Analytics cookies [toggle On/Off]

                                                                                                        > We'd like to set Google Analytics cookies to help us to improve our website by collecting and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone. For more information on how these cookies work, please see our 'Cookies page'.

                                                                                                        The implication is that a consent dialog would not be required if they weren't using Google Analytics or any other third-party.

                                                                                                  • jrockway 477 days ago
                                                                                                    That would be nice. I feel like the "cookie warnings" basically read as "this site doesn't actually need cookies to work, but we want to track you". We should just have some sort of "do not track" header that indicates we don't accept those terms, and then websites can badger us if they really need cookies, like for logins.
                                                                                                    • toyg 477 days ago
                                                                                                      > I feel like the "cookie warnings" basically read as "this site doesn't actually need cookies to work, but we want to track you".

                                                                                                      I typically read those warnings as reminders that I should open the site in a FF container.

                                                                                                    • mschuster91 477 days ago
                                                                                                      > If we have those bits, then the user can make a set of choices once, for every site, and we get rid of cookie pop-ups

                                                                                                      That one was tried with the DNT bit - of course users ended up en masse setting it to "do not track" by default. Sites won't accept that.

                                                                                                      • HorstG 477 days ago
                                                                                                        Sites need to be told to obey DNT with a legal sledgehammer. Still hoping...
                                                                                                      • anoncake 477 days ago
                                                                                                        The eprivacy regulation, taking care of that, was supposed to be finished by the time the GDPR went into force. But Austria's pro-business government managed to delay it until there wasn't enough time before the last European Elections.
                                                                                                      • __s 477 days ago
                                                                                                        > This would let me embed webasm rather than js+branch to begin a second download if feature found... etc

                                                                                                        This is exactly what you aren't supposed to do

                                                                                                        Either send the wasm optimistically & fallback to js on error, or send it reactively with js+branch

                                                                                                        • tsegratis 477 days ago
                                                                                                          Currently, yes, you are right. But what I'm suggesting is that current situation could be improved

                                                                                                          A http header bitmask set by javascript:testWASM(), would be equivalent to what you suggest...

                                                                                                          But avoid the js, and making a second trip to the server

                                                                                                        • miohtama 477 days ago
                                                                                                          The proposed UA Client Hints is more privacy oriented way to get some diagnostics data and detection from browsers


                                                                                                        • zerotolerance 477 days ago
                                                                                                          I think the proposal is well-intentioned and shortsighted. Nobody ever plans for a junk drawer feature, but certain features are destined to be fragile fuzzy contracts regardless. Unless this proposal seeks to eliminate the differences between different user agents, it is proposing moving to a different but equivalent junk drawer. The change would create real pain for service providers and consumers alike and provide little benefit.

                                                                                                          From the implementation side, I would have preferred to see an OPTIONS request style solution similar to CORS to allow complying UAs to detect what if any UA information will be required.

                                                                                                          • Izkata 477 days ago
                                                                                                            > I think the proposal is well-intentioned and shortsighted.

                                                                                                            Could also be evil and long-term: user agents won't matter anymore once everything is auto-updated Chrome, right?

                                                                                                          • dijit 478 days ago
                                                                                                            Google recently introduced a new “secure” login page which forces my chromium based browser (qutebrowser) to fake a Mozilla firefox user agent in order to work.

                                                                                                            As such, I think if detection comes in some other form, it might be harder to trick some sites into working properly.

                                                                                                            • zzzcpan 478 days ago
                                                                                                              Despite all the PR about "privacy", they don't seem to intend to prevent detection at all and are introducing even more surface for detection with client hints. Basically the opposite of what the title implies.
                                                                                                              • rowan_m 478 days ago
                                                                                                                Client Hints (https://wicg.github.io/ua-client-hints/) move a passive fingerprinting vector to an active one, i.e. information must be explicitly requested by the site and then the browser can choose how to respond.

                                                                                                                The default level of information exposed drops to just the browser name and major version, which is only sent to sites on HTTPS and with JavaScript enabled.

                                                                                                                Additional hints are only sent on subsequent requests by the browser if the site sends the matching header in its initial response and the browser chooses to send a value. The current set of proposed hints define the same amount of information exposed Chrome's User-Agent string.

                                                                                                                • HorstG 477 days ago
                                                                                                                  Yes, but the fear remains that all sites will just always request everything from ua-client-hints. It is also totally unclear how browsers will handle this. I think making this permissioned will just add to the PrivacyNagOverload. Also, browsers will continue to lie in the hints because sites will always make broken assumptions or even try to do mischief with the info.

                                                                                                                  I think the only winning move is not to play: Freeze the User-Agent and do not provide a replacement. Or at the very least, make the replacement based on actual feature bits, not version numbers and device models.

                                                                                                                  • rowan_m 477 days ago
                                                                                                                    This is part of what the Privacy Budget (https://github.com/bslassey/privacy-budget) proposal aims to tackle. Freezing the User-Agent string reduces the amount of information exposed by default. UA Client Hints means the site has to explicitly request the additional information. The browser makes a choice about how to allocate / enforce budget. You're right though about how that works and how it would be exposed to the user in their browser still being open questions! More permission pop-ups certainly aren't the answer.
                                                                                                                    • HorstG 477 days ago
                                                                                                                      That would still cause pages to do evil things if users set their privacy budget to "0/paranoid" or anything below "11/just gimme all".

                                                                                                                      Just as with adblockers users will be nagged about "please turn that dial to 11". On average nothing will improve except for users who are able enough to get around those shenanigans even now.

                                                                                                                      • danShumway 477 days ago
                                                                                                                        I think there's a fundamental principle/security in privacy that we don't really understand broadly enough across the industry -- that if you allow someone to know whether or not you're hiding/disabling something, they can often just force you to change the setting.

                                                                                                                        Just as one example, active-permissions that can be revoked after being granted aren't perfect, but are a big step up over manifests, because they're more work to exploit and often allow users to retroactively change permissions after an app checks if they're allowed.

                                                                                                                        Not to pick on the Privacy Budget specifically, but I worry that proposals like this don't really get that larger principle yet -- that it's still something we haven't quite internalized in the privacy community. If a site exceeds the privacy budget, it shouldn't get told. It should just get misinformation.

                                                                                                                        It's like autoplay permissions. Autoplay permissions on web audio are awful, because you can just keep trying things until you get around the restriction. What would be better is to auto-mute the tab, because that would be completely invisible to code running on the page.

                                                                                                                        • HorstG 477 days ago
                                                                                                                          Agreed, for things like autoplay. But dual-use features like feature detection that also enables fingerprinting cannot be replaced by randomized misinformation because that would really randomly break legitimate stuff.

                                                                                                                          The only privacy-conscious way would be no feature-detection at all or a very coarse-grained approach like "I support HTML2021".

                                                                                                                          • danShumway 477 days ago
                                                                                                                            Sort of.

                                                                                                                            You can't lie that you do support something, but you can lie in the opposite direction. And for sites that legitimately need that feature to function, you don't get much benefit -- if a site genuinely needs Chrome's Native File access, saying that you don't have it just means the site won't work.

                                                                                                                            But there's a grey area past that, which is that sites that don't need a feature, but are just using it to fingerprint, can have that feature broken without repercussion. If a news site requests Native File Access, and I say "I don't support that", then whatever.

                                                                                                                            This puts engineers in an interesting position. You can't just break your site whenever the full range of features that every browser supports aren't available, because:

                                                                                                                            A) You want to support a wide range of browsers, and if your news site doesn't work with multiple browsers you're just losing potential market.

                                                                                                                            B) A fingerprinting metric that just rejects every browser that doesn't support everything is not an effective fingerprinter. At that point, we basically have the corse-grained approach you're talking about.

                                                                                                                            The problem with this approach is that when a site requests capabilities, you need some way to figure out whether or not they're actually required, and whether or not you can lie about them. Permission prompts are... well, there are probably UXs that work, but most of them are also probably too annoying to use. In practice, I suspect that manually tagging sites is not an insurmountable task -- adblockers already kind of do this today.

                                                                                                                            One thing to push for with Client Hints is that it really, really needs to be an API that's interceptable and controllable by web extensions.

                                                                                                                            The same thing is true of fonts today -- if you lie and say you already have a font that you don't, congratulations, your text rendering is broken. But you can still lie about not having fonts, and you can still standardize your installed fonts to a smaller subset to make your browser less unique.

                                                                                                                            • anoncake 477 days ago
                                                                                                                              And all of this incidental complexity wouldn't exist if we had a sane document-based web that doesn't allow webmasters to run scripts in the browser.
                                                                                                                              • danShumway 476 days ago
                                                                                                                                I've written about this in the past, but we do really need at least one user-accessible, general computing environment that protects against these kinds of privacy attacks. It doesn't need to be the web, but I don't know of a better, currently-usable platform.

                                                                                                                                I often hear proposals that the web should just be for static documents, and I'm fine with that, but very rarely are those proposals followed up with alternative ways for ordinary people to run untrusted code. The assumption seems to be that if the web didn't exist, users would instead be responsibly vetting every binary on their computer, rather than downloading them en-mass from dozens of sources. And just looking at the smartphone app market, I don't think that assumption is true.

                                                                                                                                Again, not to say that a better alternative platform couldn't exist, but who's working on it? The native desktop platforms I see almost all do a worse job than the web at protecting against fingerprinting. It's almost universally better for privacy to use Facebook in a browser instead of downloading their native phone app.

                                                                                                                                • anoncake 476 days ago
                                                                                                                                  I don't think sandboxing is the solution. It gets in the way of functionality and you still have to trust the developer: They can abuse the permissions that their program legitimately needs and they can use dark patterns. You should never run untrusted code so there is no need for a platform that facilitates it.

                                                                                                                                  What we need are standardized protocols, strict customer protection laws and trustworthy software repositories so users can get software they can trust without having to vet it.

                                                                                                                                  > Again, not to say that a better alternative platform couldn't exist, but who's working on it?

                                                                                                                                  ~Nobody is working on such a platform because the app web exists. Remove it and there is a lot more incentive to create a replacement. Regression to the mean alone practically guarantees that it will be superior.

                                                                                                                                  • danShumway 475 days ago
                                                                                                                                    > You should never run untrusted code so there is no need for a platform that facilitates it.

                                                                                                                                    I don't believe this is a practical philosophy given the way that ordinary people use both the web and apps today. If you can convince me that you have a plan to make everyone en-mass stop installing the Facebook App, I might be persuaded to change my mind. But I regard the advice, "don't run untrusted code" to be a bit like saying, "stick to abstinence to avoid pregnancy". The advice isn't technically wrong, we just have good evidence that it doesn't work for society in general.

                                                                                                                                    I also think that "untrusted" is being used as a really broad catch-all here. Trust isn't binary. I trust a calculator app to give me the correct answer to a multiplication problem, I don't trust it to store my banking information.

                                                                                                                                    What sandboxes do are they allow us to set up boundaries for apps that we partially trust. Of course, sandboxes don't remove the need for consumers to be taught not to blindly trust everything. But they're not designed to solve that problem, just to make it easier to manage. There is no way to remove the need to educate consumers; trust is too broad of a topic to divide every app into a single "trusted" or "untrusted" bucket. So what sandboxes do is embrace that grey area rather than ignore it.

                                                                                                                                    In the physical world, if I'm securing a bank or an organization, there are going to be people I distrust so much that they can't even enter the premises. There are going to be people I trust enough to walk around while supervised. There are going to be people I trust enough to be unsupervised, but not enough to give them keys to my vault or server room. And finally there will be a minuscule number of people I trust to have full access to everything.

                                                                                                                                    Imagine if instead, our policy was, "you shouldn't let untrustworthy people into your building in the first place, so security measures past that point are useless." Would we be able to build a database of 'trustworthy' people who could have access to the vaults of every bank they walked into?

                                                                                                                                    When we get rid of sandboxes, we're still using a permissions system -- all we've done is made that permissions system less granular and harder to moderate, because we've removed our ability to say nuanced things like, "I trust Facebook to connect to the Internet, but not to read my contacts."

                                                                                                                  • ori_b 477 days ago
                                                                                                                    > Client Hints (https://wicg.github.io/ua-client-hints/) move a passive fingerprinting vector to an active one, i.e. information must be explicitly requested by the site and then the browser can choose how to respond.

                                                                                                                    And how much of a hurdle is that, exactly?

                                                                                                                    • zzzcpan 478 days ago
                                                                                                                      That's not an active fingerprinting vector, especially within the context of https, still passive one with a minor protocol detail.
                                                                                                                  • magicalist 477 days ago
                                                                                                                    > Google recently introduced a new “secure” login page which forces my chromium based browser (qutebrowser)

                                                                                                                    That's an embedded chromium browser and according to [1] you should really be switching to oauth for login, not faking a UA string.

                                                                                                                    [1] https://security.googleblog.com/2019/04/better-protection-ag...

                                                                                                                    • The-Compiler 477 days ago
                                                                                                                      It isn't - in that blogpost, Google describes:

                                                                                                                      "However, one form of phishing, known as “man in the middle” (MITM), is hard to detect when an embedded browser framework (e.g., Chromium Embedded Framework - CEF) or another automation platform is being used for authentication. MITM intercepts the communications between a user and Google in real-time to gather the user’s credentials (including the second factor in some cases) and sign in."

                                                                                                                      In other words, the OAuth sign in is intended for applications which want to access the Google APIs in some way.

                                                                                                                      qutebrowser (as an application) doesn't need access to your Google Account in any way. It doesn't care about your Google authentication data, and it doesn't use Google APIs.

                                                                                                                  • saagarjha 477 days ago
                                                                                                                    Safari tried to do this but had to walk back some of their changes: https://bugs.webkit.org/show_bug.cgi?id=180365. Currently, it reports the marketing OS and version of Safari truthfully, while lying about the bundled version of WebKit. For example, my user agent is "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15", but I am running Safari 13.1, WebKit 15609.1.13.4 on macOS Catalina 10.15.3.
                                                                                                                    • dangerface 477 days ago
                                                                                                                      Safari is a broken mess, I have to detect and fix it more than any other browser, makes sense they would make it even more broken.
                                                                                                                      • realusername 477 days ago
                                                                                                                        I agree with that, I don't know if it's a lack of manpower on Safari and Safari mobile or what but it's severely far behind the other browsers.
                                                                                                                        • londons_explore 477 days ago
                                                                                                                          Being a monopoly on iPhones means the rest of the community has to work around their bugs. Why would they put any effort into fixing those bugs - web devs are working around them just fine?

                                                                                                                          Safari could say "Sorry - <div> tags aren't working in the current release", and all big websites would switch to other html tags in a matter of weeks.

                                                                                                                          • dmitriid 477 days ago
                                                                                                                            Chrome published a draft of User-Agent Client Hints only a month ago. They are already moving ahead to deprecate user Agent string and saying "Where feature detection fails developers, UA Client Hints are the right path forward" (a thing that's not even a standard yet).

                                                                                                                            Safari has been very wary of this break-neck speed of how Chrome imposes Google's view of standards onto the world. WebKit team has even walked away from proposals when concerns were not addressed (sadly, I can't find the link in GitHub issues right now. Edit: [1]).

                                                                                                                            And yes, lack of manpower is another pressing concern.

                                                                                                                            [1] https://github.com/WICG/construct-stylesheets/issues/45#issu...

                                                                                                                            "Now I consider this issue as an absolute show stopper. I don't think we want to ever implement this feature in WebKit unless this issue is resolved."

                                                                                                                            • ksec 477 days ago
                                                                                                                              And that is what I like about Safari, instead of blindly following every single proposal from Google. Many of them are not really well thought out.
                                                                                                                            • AgloeDreams 477 days ago
                                                                                                                              Well, Chrome was based on Webkit for a while and then they forked it and as a result stopped contributing to it. For Google, Chrome is a major product (as it forces their Search engine and products). For Apple, Safari is pretty minor. Apple simply doesn't have a reason to throw so much manpower at it.
                                                                                                                              • smnthermes 477 days ago
                                                                                                                                Maybe Apple will adopt Blink/Chromium in the future?
                                                                                                                                • AgloeDreams 476 days ago
                                                                                                                                  That's a dark future but pretty much. This happening would mean Firefox's engine is the only other rendering engine on earth than Blink.
                                                                                                                            • Joker_vD 477 days ago
                                                                                                                              Oh boy. Right now, I am implementing a workaround for websockets in Safari on iOS 13 — apparently, they've somehow broken their already non-standard "x-webkit-deflate-frame" compression scheme and can't properly send fragmented messages anymore when it's enabled: they mess up the zlib stream at the start of the second fragment (or maybe at the end of the first fragment).
                                                                                                                          • LyndsySimon 478 days ago
                                                                                                                            For context, as it’s not immediately obvious at the link: Blink is Chrome/Chromium’s rendering engine.
                                                                                                                            • ShinTakuya 478 days ago
                                                                                                                              Thanks, I assumed so but it's useful to have this confirmation before I looked it up. Honestly this is a little surprising to me. Sites pulling shit like matching UA usually works out in Chrome's favour so it's nice to see them throwing the minor web browsers an olive branch.
                                                                                                                              • close04 478 days ago
                                                                                                                                Developers will still mostly target the most popular browser(s), particularly Chrome. It would be great if browsers like Firefox managed to implement a "feature detection spoof" that you can enable to still present yourself as Chrome (or other browsers) regardless of the actual features requested. More or less like changing the UA does now.
                                                                                                                                • GoblinSlayer 477 days ago
                                                                                                                                  That's Go Faster addon.
                                                                                                                                  • close04 477 days ago
                                                                                                                                    This looks like it's intended to fix specific issues, not for fingerprint blocking. I was thinking more like being able to present yourself as generic Chrome on Windows 10 or Firefox on Android if you chose to, even with the risk of breaking the site.
                                                                                                                                    • GoblinSlayer 477 days ago
                                                                                                                                      Firefox resists fingerprinting by default, and go faster addon provides mitigations for sites that break in this mode, like providing a specific UA string.
                                                                                                                            • shortercode 477 days ago
                                                                                                                              This seems particularly unhelpful for bug reporting systems. Being able to see a specific bug is only happening on Chromium 78 for Linux can save a lot of time and frustration. In theory the user can fill in the details on a bug report themselves, but it's hard enough to persuade them to copy paste the crash message we generate for them at the moment.
                                                                                                                              • penagwin 477 days ago
                                                                                                                                There should be better ways to identify the browser than the user agent. The user agent is a legacy artifact, have you seen how many "compatibility" parts are in there? Like why does the chrome user agent say "Mozilla" in iy?
                                                                                                                                • samastur 477 days ago
                                                                                                                                  Yes, but do you know any?

                                                                                                                                  UA is the only thing I get in server logs to discover how much attention I should pay to support particular browsers.

                                                                                                                                  • penagwin 477 days ago
                                                                                                                                    There's not really a good server side way to do it unfortunately. All the current alternatives to my knowledge require js.

                                                                                                                                    It depends on your application but the only real alternative is to use a js analytics library to collect the statistics. The good news is that they're more accurate, can give you more information, and there's plenty of self hosted options like Matomo.

                                                                                                                                    But it is yet another thing the client as to load, and adblockers will likely skew your metrics.

                                                                                                                                    • miohtama 477 days ago
                                                                                                                                      User agent strings will be deprecated in favour of UA Client Hints, as mentioned in the proposal


                                                                                                                                • anilshanbhag 478 days ago
                                                                                                                                  The trigger for this was most likely the Brave/Vivaldi browsers. Brave used to 'Brave/X.y' at the end of user agent. Whatsapp didn't work with that useragent. Now Brave uses Google Chrome's useragent.

                                                                                                                                  In my app Dictanote (https://dictanote.co) - which uses Chrome's speech-to-text API, I have no way to distinguish Brave/Vivaldi and user doesn't understand why its not working :/

                                                                                                                                  • DarkCrusader2 478 days ago
                                                                                                                                    Shouldn't you be using feature detection[1] here anyway? Making browsers unsupported in a blanket fashion via user-agent is the exact thing people should stop doing.

                                                                                                                                    [1] https://developers.google.com/web/updates/2014/01/Web-apps-t...

                                                                                                                                    • anilshanbhag 478 days ago
                                                                                                                                      The webkitSpeechRecognition object shows up on both browsers. When you start recognition, it acts like you are not connected to the network. Not connected to the network is a common error , so you cannot fingerprint it to Brave.

                                                                                                                                      This specific API only works in Google Chrome unfortunately. So we need to stop people from trying in another browser and getting frustrated as to why its not working.

                                                                                                                                      • ss3000 478 days ago
                                                                                                                                        We should of course default to feature detection whenever possible, but non-standard behavior like this in certain browsers is exactly why feature detection alone is never going to cover 100% of current use cases for UA detection.

                                                                                                                                        To add to OP's point, this thing in Safari also comes to mind as an example of something that isn't easy to detect and address outside of UA detection: https://github.com/vitr/safari-cookie-in-iframe

                                                                                                                                        Deprecating UA Strings and moving towards UA Client Hints seems like a move in the right direction though.

                                                                                                                                        • GoblinSlayer 477 days ago
                                                                                                                                          3rd party cookies can be assumed to be always blocked, no need to detect anything.
                                                                                                                                          • ss3000 477 days ago
                                                                                                                                            Some pages are intended to be embedded in iframes (which have their own security context isolated from the embedding page), and happen to use cookies for authentication. Safari not allowing cookies from third party domains in iframes is the issue here.

                                                                                                                                            Assuming these iframes will never work means degrading the experience for all users, when only users on Safari are actually affected. Detecting the UA and branching based on that is a much more pragmatic solution.

                                                                                                                                        • exikyut 477 days ago
                                                                                                                                          IMO Brave should remove this API, then.

                                                                                                                                          - It's not likely to work anytime soon

                                                                                                                                          - "The property doesn't exist or throws an exception or does something else that Chrom{e,ium} doesn't do" provides the necessary fingerprinting

                                                                                                                                          - Adding the feature back later can just be chalked up to "growing pains", it doesn't really set especially unique precedent

                                                                                                                                          • untog 477 days ago
                                                                                                                                            Absolutely they should. But they haven't. Checking the UA string allows a developer to get around the issue, but once it's gone an individual developer will be powerless to fix the issue for their users.
                                                                                                                                      • RKearney 478 days ago
                                                                                                                                        Using user agents to detect features is the wrong way to do it because you’ll have these exact problems.

                                                                                                                                        To determine if a browser has the text to speech API just check if the webkitSpeechRecognition object exists (if that’s the one you’re using). It will exist in Chrome and will not exist in other browsers that lack the feature.

                                                                                                                                        • scarejunba 477 days ago
                                                                                                                                          > * It will exist in Chrome and will not exist in other browsers that lack the feature.*

                                                                                                                                          An incorrect assumption stated as fact with such great confidence. Good job.

                                                                                                                                          Even on the face of it, any engineer would know this can't be true.

                                                                                                                                        • devit 478 days ago
                                                                                                                                          Just test whether the API works or whether the properties are missing or methods throw exceptions?

                                                                                                                                          The kind of testing you are complaining you can't do is exactly why user agent is broken, what if you test for Chrome and then Brave/Vivaldi start supporting the speech-to-text API and your broken website still says "sorry, you need Chrome" for no reason?

                                                                                                                                          • anilshanbhag 478 days ago
                                                                                                                                            The webkitSpeechRecognition object shows up on both browsers. When you start recognition, it acts like you are not connected to the network. Not connected to the network is a common error , so you cannot fingerprint it to Brave.
                                                                                                                                          • alehander42 478 days ago
                                                                                                                                            so show this as a hint in the UI :) people can still solve problems better than machines often
                                                                                                                                            • londons_explore 477 days ago
                                                                                                                                              I can imagine the popup now:

                                                                                                                                              "Somethings wrong! You might be using Chrome and having connectivity issues, or you might be using Brave who have a dispute with Google about usage of their speech recognition API. In the former case, get better WiFi, and in the latter case there's nothing you can do, switch browsers."

                                                                                                                                          • devit 478 days ago
                                                                                                                                            How about doing this but also NOT providing the client hints API and NOT providing any way for JavaScript to explicitly ask for OS and browser product name and version?

                                                                                                                                            While browser and JavaScript engines are likely to continue being detectable due to behavior and performance for the foreseeable future, it's probably possible to make the OS, browser frontend and exact engine version undetectable.

                                                                                                                                            • marcusarmstrong 478 days ago
                                                                                                                                              Browser vendor/version is hugely important information for triaging issues and implementing progressive enhancement approaches on large scale websites.
                                                                                                                                              • minitech 477 days ago
                                                                                                                                                Triaging issues, sure. Progressive enhancement? If you’re parsing User-Agent to implement that, you’re doing it wrong. (Feature detection is the correct approach, when necessary.)
                                                                                                                                                • nicoburns 477 days ago
                                                                                                                                                  There are cases like IndexedDB bugs in certain versions of Safari that are very hard to feature detect...
                                                                                                                                                  • marcusarmstrong 477 days ago
                                                                                                                                                    Can’t feature detect during SSR, so making an educated guess and falling back gracefully (when possible—many times it just isn’t, as with ES6 syntax) is important to get initial page load right by default.
                                                                                                                                                    • zamadatix 477 days ago
                                                                                                                                                      Because so many people abused the user agent header for things that could gracefully fall back (or they just made invalid assumptions from it) it was made an unreliable indicator for times you actually want to send shimmed content on first load.
                                                                                                                                                    • grose 477 days ago
                                                                                                                                                      Here's an official Google page telling you to sniff UAs or their new feature will break everything: https://www.chromium.org/updates/same-site/incompatible-clie...

                                                                                                                                                      Edit: OK, this isn't progressive enhancement. But it's still a major problem you have to sniff the User-Agent for. I don't want to sniff UAs either but when Chrome is wont to change how fundamental parts of the web work like cookies it's sometimes necessary. I know UA hints will still allow you to do this, but requiring a second request is going to make things like redirect pages difficult to implement.

                                                                                                                                                      • minitech 477 days ago
                                                                                                                                                        SameSite=None isn’t progressive enhancement.
                                                                                                                                                        • grose 477 days ago
                                                                                                                                                          You're right, I should have replied elsewhere. By the way, if anyone knows what this _is_ called I would be interested to know. As far as I can see it's basically feature detection with no other way of detecting it besides the UA.
                                                                                                                                                    • tyingq 478 days ago
                                                                                                                                                      Perhaps, but it invalidates most of their stated reasons for doing this. Which makes the post a confusing read.
                                                                                                                                                      • magicalist 478 days ago
                                                                                                                                                        > it invalidates most of their stated reasons

                                                                                                                                                        The "main advantages" section for client hints all seem to apply there.

                                                                                                                                                        • marcusarmstrong 478 days ago
                                                                                                                                                          IMO it’s explained better in the Client Hints specification.
                                                                                                                                                          • HorstG 477 days ago
                                                                                                                                                            Client hints are not any more useful than traditional UA for privacy or progressive enhancement. Its the same content, just split up. Any browser not sending everything will have atrocious permission UX, nagging websites or just get the broken IE5 version.

                                                                                                                                                            UA hints solve nothing, even after reading the spec

                                                                                                                                                      • pteraspidomorph 478 days ago
                                                                                                                                                        Seems to be the Firefox plan according to the text.
                                                                                                                                                        • tracker1 477 days ago
                                                                                                                                                          How do you propose, without some sort of browser and os detection and version to address specific bugs for those environments? Just leave a site/app broken for a few months until/if/when the browser fixes the bug?
                                                                                                                                                        • qwerty456127 478 days ago
                                                                                                                                                          > And finally, starting fresh will enable us to drop a lot of the legacy baggage that the UA string carries (“Mozilla/5.0”, “like Gecko”, “like KHTML”, etc) going forward.

                                                                                                                                                          Why not drop just that and leave nothing but the exact HTML and JavaScript engine names and versions like "Blink a.b, V8 x.y"?

                                                                                                                                                          And what about robots? Will the Googlebot give the UA up as well?

                                                                                                                                                          • richthegeek 478 days ago
                                                                                                                                                            There are plenty of unmaintained sites out there that do stupid things in reaction to UA strings, and one of the stupid things is using a regex that expects specific strings to exist.

                                                                                                                                                            Using a completely new string format in the same field (or removing it entirely) breaks a lot of sites that'll never be fixed.

                                                                                                                                                            Freezing it prevents this. And if we're freezing and creating a new system then why not go for something queryable without all the baggage?

                                                                                                                                                            • userbinator 478 days ago
                                                                                                                                                              I tried using no UA header at all for a period of a few weeks, many years ago when "appsites" weren't as common, and yet a lot of sites failed to load mysteriously, showed odd server errors, or even banned my IP for being a bot.

                                                                                                                                                              I expect no UA header to be even less usable now that sites are more paranoid and app-ified, so instead I use a random one. That still confuses some sites...

                                                                                                                                                              • zzzcpan 478 days ago
                                                                                                                                                                Random UA can get you outright blocked for looking like a bot. So is faking Googlebot and such.
                                                                                                                                                                • Kaiyou 477 days ago
                                                                                                                                                                  A random one makes you unique and thus identifiable across sites.
                                                                                                                                                                  • userbinator 477 days ago
                                                                                                                                                                    I meant random as in "randomly picked from list of common UAs", not as in "randomly generated GUID".
                                                                                                                                                                • qwerty456127 478 days ago
                                                                                                                                                                  How is something without all the baggage expected to help with the sites doing the stupid things?
                                                                                                                                                                  • ajsnigrutin 478 days ago
                                                                                                                                                                    Users still want to see those pages. If browser X removes the UA string, that site brakes for them, and they change to browser Y that still has the old useragent.
                                                                                                                                                                    • qwerty456127 478 days ago
                                                                                                                                                                      But won't removing just the baggage parts of the UA ("like Gecko", "KHTML" etc) break those sites anyway?
                                                                                                                                                                      • richthegeek 477 days ago
                                                                                                                                                                        The old UA will exist as it always has done - frozen, unchanged. Nothing will be removed from the literaly `user-agent` header value.
                                                                                                                                                                  • GoblinSlayer 477 days ago
                                                                                                                                                                    Yep, they can receive those crazy UAs, see https://wiki.mozilla.org/Compatibility/Go_Faster_Addon
                                                                                                                                                                • danShumway 477 days ago
                                                                                                                                                                  Requires some complicated conversations about how client hints should work in a privacy-respecting way, but this is still unquestionably the right move.

                                                                                                                                                                  The arguments we're seeing are around what the replacement should be (or if there should be a replacement at all). But either of those scenarios are still better than keeping user agents as they are.

                                                                                                                                                                  • dbetteridge 478 days ago
                                                                                                                                                                    While the intent is good, didn't we recently see from the roll-out of secure/strict same-site cookies that feature detection isn't mature enough? Or does that not apply here.

                                                                                                                                                                    Getting rid of user agent strings is great, as long as we get a better way to determine browser capabilities that doesn't require some kind of special feature checking library...

                                                                                                                                                                    • pjc50 478 days ago
                                                                                                                                                                      User-agent was never feature detection, only a proxy for it, and frequently resulted in preventing users from using things that the browser was capable of supporting.

                                                                                                                                                                      Why does edge say "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362"? Because people kept abusing it for feature detection.

                                                                                                                                                                      • dbetteridge 477 days ago
                                                                                                                                                                        You're not wrong, but there are still various functionalities that are not easily feature detected in browser especially in older versions and sometimes you need to err on the side of caution and tell the user their browser is unsupported (even if it may work)
                                                                                                                                                                      • rowan_m 478 days ago
                                                                                                                                                                        For older browsers, the UA string remains - so that's still viable for compatibility issues. https://wicg.github.io/ua-client-hints/ will provide the cleaner, opt-in approach in the future.
                                                                                                                                                                        • 1_player 478 days ago
                                                                                                                                                                          What's cleaner about this new approach? I can't see the point of it.

                                                                                                                                                                          It's exactly the same as the User-Agent header we had, but worse.

                                                                                                                                                                          UA was used for tracking? With this new standard, just ask the user agent to include all details in its Accept-CH header.

                                                                                                                                                                          UA was used for feature detection? People will use this new standard to do feature detection.

                                                                                                                                                                          And it's worse because there's legitimate uses of UA sniffing, and JS won't have access to it anymore - TFA wants to deprecate navigator.userAgent, so only the webserver would have access to user agent details? Why?

                                                                                                                                                                          • rowan_m 477 days ago
                                                                                                                                                                            > With this new standard, just ask the user agent to include all details in its Accept-CH header.

                                                                                                                                                                            That becomes an explicit choice by the site to request more information, it's up to the client/browser how it responds to that. Fewer bits of information are exposed by default.

                                                                                                                                                                            > JS won't have access to it anymore - TFA wants to deprecate navigator.userAgent, so only the webserver would have access to user agent details? Why?

                                                                                                                                                                            I should have linked to the top-level repo with the explainer (https://github.com/WICG/ua-client-hints) as it's not immediately clear from the spec, but access to the hint values is provided via getUserAgent()

                                                                                                                                                                          • dbetteridge 478 days ago
                                                                                                                                                                            The hints do seem like a good approach, though scary from a fingerprinting side as they're much more fine-grained.
                                                                                                                                                                            • rowan_m 478 days ago
                                                                                                                                                                              It changes the passive fingerprinting vector to an active one: https://github.com/bslassey/privacy-budget#passive-surfaces

                                                                                                                                                                              So, while UA hints could potentially supply more information than the current UA string - each item needs to be explicitly requested by the site meaning the browser can make a choice on what to return. This may depend on user's preferences, level of trust in a site, the amount of identifying information already provided to the site, etc.

                                                                                                                                                                              • ori_b 477 days ago
                                                                                                                                                                                > It changes the passive fingerprinting vector to an active one

                                                                                                                                                                                You say this as though the ad industry cares.

                                                                                                                                                                                > So, while UA hints could potentially supply more information than the current UA string - each item needs to be explicitly requested by the site meaning the browser can make a choice on what to return.

                                                                                                                                                                                Let me introduce you to useragent switchers.

                                                                                                                                                                                The replacement is strictly worse. Simply freezing the user agent solves things well.

                                                                                                                                                                                • untog 477 days ago
                                                                                                                                                                                  > You say this as though the ad industry cares.

                                                                                                                                                                                  They don't have a choice? The point about passive vs active is that it places control with the browser/user where they didn't have it before. You'll be able to respond to some hints and ignore others.

                                                                                                                                                                                  > Let me introduce you to useragent switchers.

                                                                                                                                                                                  And what's the adoption rate of those, I wonder... less than 1% of users? This client hints standard will make it a lot more reasonable for non-power users to control what information is being disclosed, should they wish.

                                                                                                                                                                                  • ori_b 477 days ago
                                                                                                                                                                                    > They don't have a choice? The point about passive vs active is that it places control with the browser/user where they didn't have it before. You'll be able to respond to some hints and ignore others.

                                                                                                                                                                                    So, you are saying that every time someone wants to test browser compatibility, the browser will prompt the user?

                                                                                                                                                                                    No, they're not doing that. Which means that the information is in the hands of anyone that cares. It just isn't in Apache server logs by default.

                                                                                                                                                                                    > And what's the adoption rate of those, I wonder... less than 1% of users?

                                                                                                                                                                                    About as high as the dynamic equivalent will be.

                                                                                                                                                                                    Which is why not replacing the useragent string is the only option that makes things better.

                                                                                                                                                                        • at_a_remove 477 days ago
                                                                                                                                                                          I have mixed feelings on this. On the other hand, I knew some people above me who are still stuck on useragent sniffing as the "way to go."

                                                                                                                                                                          On the other hand, I did use it in combination with other techniques to provide some real information. At one point I had a hard-to-even-track kind of problem, with difficulty even looking for common trends. I created a help form for the user. Please fill out when this occurred, where you were (this mattered), what OS were you running, what browser, and so forth. What I found using the UA (and backed by other tricks) was that many users, young users who were enrolled in college, were not only unaware of their browser or operating system version but the OS itself.

                                                                                                                                                                          Its utility began its decline when the browser makers began copying one another wholesale. It's kind of a shame. Capability-testing is better but for some troubleshooting applications, having something particular to pin your problems to is handy.

                                                                                                                                                                          • miohtama 477 days ago
                                                                                                                                                                            Please see UA Client Hints linked in the proposal


                                                                                                                                                                            You should still get this information, but more privacy oriented manner.

                                                                                                                                                                            • earthboundkid 477 days ago
                                                                                                                                                                              I know no one RTFAs (I usually don't even RTFA), but in this case, it's really egregious. The whole discussion is going back and forth about UA sniffing with no one mentioning that the damn proposal is entirely based on adding UA Client Hints as a replacement. It makes this whole multi-hundred comment discussion pretty much valueless. Please, other commenters: read this link before discussing whether you're caremad about "like Gecko" in the UA string!
                                                                                                                                                                              • mkl 477 days ago
                                                                                                                                                                                In this case, it seems like you didn't read the discussion either. Many people have been talking about UA Client Hints here, before you commented.
                                                                                                                                                                                • earthboundkid 477 days ago
                                                                                                                                                                                  This was the near top level comment I saw to mention it. I don’t think it’s crazy to collapse a huge thread where the first several levels of comments aren’t relevant.
                                                                                                                                                                                  • mkl 477 days ago
                                                                                                                                                                                    Sure, but you could do a find before accusing all other commenters of "egregious" not reading of the article.
                                                                                                                                                                          • leeoniya 477 days ago

                                                                                                                                                                            the proposed implementation leaves me questioning how useful the CH headers are for initial impressions of a web property if only the browser and version are sent by default, and more info is only provided on follow-up requests, assuming the user agrees to some permission popup they don't understand. it'll be the "this site uses cookies" nonsense / nuisance all over again. it'll finally push end users to install the native reddit app without those constant annoyances.

                                                                                                                                                                            i have quite a few ux enhancements that need to know or guestimate the screen size, if the device is touch capable and OS (especially for form input styling). i dont see how it is possible without an additional delay, fetch request and some annoying permission popup to deliver a good experience in the brave new CH world.

                                                                                                                                                                            • HorstG 477 days ago
                                                                                                                                                                              There is CSS media query for exactly your use-case. No need for sniffing, round-trips or any server-side activity at all.
                                                                                                                                                                              • leeoniya 477 days ago
                                                                                                                                                                                a media query will not tell me what OS it is so i can infer the metrics of native fonts and form controls. i would have to use JS and create sentinel elements to make the measurements, which would still be a form of slower, shittier sniffing.

                                                                                                                                                                                also, a media query or any other client side method prevents me from delivering exactly the final content that's necessary and not have to do additional reflow-inducing js to get the end result.

                                                                                                                                                                            • LeonM 478 days ago

                                                                                                                                                                              The only legitimate use case I can think of is exception tracking, it is valuable to know which browser caused the exception.

                                                                                                                                                                              Beyond that, a website should never, ever rely on the UA for anything.

                                                                                                                                                                              • smitop 478 days ago
                                                                                                                                                                                It is still possible to determine what browser caused an exception. The "sec-ch-ua" header is used by Chrome (but only to HTTPS websites) to send the "real" user agent, which for me is "Google Chrome 79" (and I am indeed running Google Chrome 79).
                                                                                                                                                                                • Tade0 478 days ago
                                                                                                                                                                                  Last time the UA string was useful to me was to show my SO's uncle that iOS Edge is just a "repackaged and watered down version of Safari".
                                                                                                                                                                                  • saagarjha 477 days ago
                                                                                                                                                                                    My user agent is "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15". Clearly I'm running a repackaged Firefox browser?
                                                                                                                                                                                    • AgloeDreams 477 days ago
                                                                                                                                                                                      In fairness, real (Trident) Edge fakes the Chrome UA. But yeah all iOS browsers are just WebKit.
                                                                                                                                                                                    • qwerty456127 478 days ago
                                                                                                                                                                                      IMHO you're right but underestimate the value of what you have mentioned. It is VERY valuable to know which browser caused the exception.
                                                                                                                                                                                      • jmcs 478 days ago
                                                                                                                                                                                        Maybe after people stop using the user agent for stupid reasons it can be made useful again. User agents should be stuff like "Firefox 71.0" or "Chrome 79.0.3945", not "Mozilla but really AppleWebKit disguised as KHTML, but no really I'm Chrome but maybe I'm Safari"
                                                                                                                                                                                        • HorstG 477 days ago
                                                                                                                                                                                          Yes, but unfortunately using the user agent for only non-stupid reasons is a postcondition for the hell freezing over.
                                                                                                                                                                                        • GoblinSlayer 477 days ago
                                                                                                                                                                                          Hopefully people will think twice before doing stuff that depend on browser.
                                                                                                                                                                                        • thrower123 477 days ago
                                                                                                                                                                                          Realistically, we will just find another, more complicated and more opaque, and more error-prone, method of fingerprinting the browser version.
                                                                                                                                                                                          • zzzcpan 477 days ago
                                                                                                                                                                                            There are plenty of legitimate purposes. I use it to disable keepalive for POST requests, redirect to https:// for browsers known to be able to establish a secure connection, whitelist tor browser bundle, detect behavior of Accept: header, which differs even between browser versions, and some other things.
                                                                                                                                                                                          • kerkeslager 477 days ago
                                                                                                                                                                                            One problem with User-Agent strings is that they actually don't work for their intended use case. Nothing is stopping user agents from lying about who they are to the server, and many user agents actively do this.

                                                                                                                                                                                            I've been on teams a few times that tried to use UA strings to try to serve up features per-browser. Trying to do this directly falls apart quickly. There are some libraries that handle the most common problems, but that really only delays the inevitable: eventually some critical user is using a browser that you are detecting wrong, and you end up lost in endless hard-coded edge cases. Using UA strings to determine functionality isn't an effective strategy.

                                                                                                                                                                                            • sheerun 477 days ago
                                                                                                                                                                                              Client Hints won't work with SSR because they are available only on second request... I hope they fix it before deprecating.
                                                                                                                                                                                              • jamescun 478 days ago
                                                                                                                                                                                                Feature detection isn't the only use case User Agent strings service, two I've seen frequently are:

                                                                                                                                                                                                * Exception Tracking - The User Agent string is usually attached to exceptions to aid in reproduction.

                                                                                                                                                                                                * Outdated Client Detection - Primarily in internal dashboards in BYOD environments, I've seen the server display an error when a known outdated/insecure browser connects.

                                                                                                                                                                                                • kalleboo 477 days ago
                                                                                                                                                                                                  When Safari froze their UA, another big one that came up was browser bugs. Specific versions of browsers on specific platforms have bugs, and you need to be able to tell your user to upgrade.
                                                                                                                                                                                                  • clarry 477 days ago
                                                                                                                                                                                                    Please use the latest supported browser.

                                                                                                                                                                                                    There, I just told you to upgrade without sniffing UA.

                                                                                                                                                                                                    • kalleboo 476 days ago
                                                                                                                                                                                                      No user is going to see that sentence. They're going to read right past it, click some button, it doesn't work, "this site sucks" and go somewhere else.
                                                                                                                                                                                                      • clarry 476 days ago
                                                                                                                                                                                                        I'll take that over a feature that just gets abused for all kinds of things and will create breakage which makes users just go elsewhere because it's broken.

                                                                                                                                                                                                        It is ridiculous for every website to be babysitting their users software, when we already have operating systems that keep software up to date, package managers that keep software up to date, and software that keeps itself up to date.

                                                                                                                                                                                                        If I need to make a really important website that can't lose users like that, I just need to make damn sure it works with any relevant browser without any UA sniffing hacks that will bite back down the line.

                                                                                                                                                                                                        If I'm making some bleeding edge crap that really needs a bleeding edge browser, I'm sure I can find a place for that sentence where most users will find it, and if I lose a few users, it probably isn't that big of a deal. Chances are I'd lose more users anyway due to many not wanting or being able to update for any number of reasons.

                                                                                                                                                                                                      • HorstG 477 days ago
                                                                                                                                                                                                        Also, "please upgrade, then call back" is always the first point on any support call checklist.
                                                                                                                                                                                                        • kalleboo 476 days ago
                                                                                                                                                                                                          On the web you've lost 95% of users before they contact support
                                                                                                                                                                                                    • tsegratis 477 days ago
                                                                                                                                                                                                      Possibly add a randomized date to new UA, in range from last fixed CVE, to browser compilation date

                                                                                                                                                                                                      That would avoid feature detection, but still create epochs to disallow insecure browsers


                                                                                                                                                                                                      For exception tracking, the best I can suggest is getting screen size + other features; then storing them, ready to pass with the exception

                                                                                                                                                                                                    • chrisweekly 478 days ago
                                                                                                                                                                                                      • jonarnes 477 days ago
                                                                                                                                                                                                        > The opt-in based mechanism of Client Hints currently suffers from the fact that on the very-first view, the browser have not yet received the opt-in. That means that requiring specific UA information (e.g. device model, platform) on the very-first navigation request may incur a delay. We are exploring options to enable the opt-in to happen further down the stack to avoid that delay.

                                                                                                                                                                                                        I'm surprised Google goes ahead with this without having a concrete plan to handle the first request to a page. I fear that will become an ugly mess of redirects, js hacks and broken pages. Think Google is under estimating how widespread device detection user User-Agent on the server side is...

                                                                                                                                                                                                        • arendtio 477 days ago
                                                                                                                                                                                                          As a KDE User, I am so happy every time I see 'KHTML' in one of those User-Agent strings, it would be horrible if Konquerors legacy would be removed one day ;-)

                                                                                                                                                                                                          So it is good they don't want to remove it, but just freeze it :D

                                                                                                                                                                                                          • Ayesh 477 days ago
                                                                                                                                                                                                            This can have a huge impact.

                                                                                                                                                                                                            - Server log analytics will not be able to provide OS/Browser stats.

                                                                                                                                                                                                            - Default download pages (Detect OS automatically and redirect to the platform-specific download pages) would not work.

                                                                                                                                                                                                            - "m." Sites: there are still some sites that sniff the UA string and redirect users to mobile site. It's looking for patterns like "/mobile/" in UA, and don't require a lot of updates as the post argues.

                                                                                                                                                                                                            • onion2k 477 days ago
                                                                                                                                                                                                              I think you'll still be able to tell what OS and browser it is, just not the specific major or minor version because they'll be 85.0.0 (if that's the version when this happens) forever. All of the examples you've put there will still be achievable with the out-of-date UA string.
                                                                                                                                                                                                            • toast0 477 days ago
                                                                                                                                                                                                              I may be cynical, but the Accept-CH proposal seems to me like something proposed for appearances only, not with any intent to actually implement.

                                                                                                                                                                                                              It just doesn't make sense from the perspective of HTTP. The only existing flow where an HTTP server passes context to the client and the client makes a new request based on that is HTTP authentication; but that's not intended to be optional --- generally servers don't provide good enough content with HTTP 401 and expect clients to display it in case they don't feel like authenticating. In this proposed flow, the server would need to, at least, start sending the content on the original request, and then send it again in case the client actually sends a new request.

                                                                                                                                                                                                              If this is an HTTPS only feature, the server to client request could be moved up into the TLS handshake; the client could include an empty Accept-CH extension, and if present, the server could include an Accept-CH extension with the fields it wants in HTTP requests. Then the client would send the fields, or not, according to user preference. Zero added round trips.

                                                                                                                                                                                                              Otherwise, it might be better if the server were able to indicate to clients what its matching rules were. If the initial response returns best case data, and a list of exception rules, the client could send a second request only if the rules matched. Then you could say if it's a specific build of Chrome where important feature is present but broken[1], or Chrome version before X, or Chrome on mobile if ARMv5 or whatever, please disregard the content and refetch with more details provided to the server, so it could provide an appropriate page.

                                                                                                                                                                                                              [1] Let's say that particular version crashes when the feature is attempted to be used; it's plausible, and not really detectable from Javascript.

                                                                                                                                                                                                              • tjelen 477 days ago
                                                                                                                                                                                                                And at the same time they recommend using UAs to detect agents incompatible with SameSite=None cookies (see https://www.chromium.org/updates/same-site/incompatible-clie...), including certain Chrome versions.
                                                                                                                                                                                                                • tracker1 477 days ago
                                                                                                                                                                                                                  I'm not sure I get the point of specifically requesting it... also, should have a DOM API to get this information spelled out, not sure where that is...

                                                                                                                                                                                                                  Let alone requiring a round trip for the server to even see the information... does that mean a 302 to itself for initial data? What about a POST? The first render is where this kind of crap is most useful for server-side rendering.

                                                                                                                                                                                                                  The fact is, in general, it would be nice to get the actual browser/version and os/version, and maybe have an engines list for cross-compatibility detection as a fallback.

                                                                                                                                                                                                                  When you come across a bug that only effects a specific browser/version (or other browsers using that engine as a base), it's a pain to deal with... cleaning it up when fixed is another issue, or worse, when you target a specific version, then the next release doesn't fix the issue and you're scrambling to update your range for the fix.

                                                                                                                                                                                                                  It isn't nearly as bad as the late 90's, but it's still pretty bad.

                                                                                                                                                                                                                  • CodeWriter23 477 days ago
                                                                                                                                                                                                                    > It provides the information in small increments, so servers are only exposed to the information they need and request, rather than being exposed to the full gamut of the UA string even if they are just trying to figure out one detail about the browser.

                                                                                                                                                                                                                    So, an extra RT if your app needs to sense which UA it’s talking to.

                                                                                                                                                                                                                    • peterwwillis 477 days ago
                                                                                                                                                                                                                      It's going to be fun to watch all the product teams for all the web products stop all their active development so they can push through emergency fixes when this breaks their products. Just like Chrome 80's breaking of an established cookie use pattern is doing.
                                                                                                                                                                                                                      • ksec 477 days ago
                                                                                                                                                                                                                        Google's Good Intention were to support privacy, and

                                                                                                                                                                                                                        >the web should be is an abundant source of compatibility issues. in particular for minority browsers, resulting in browsers lying about themselves (generally or to specific sites), and sites (including Google properties) being broken in some browsers for no good reason.

                                                                                                                                                                                                                        Doesn't that mean every Web feature would be Google's way or the high way. Google, using Blink and Chrome would be dictating the web standards. And if it is incompatible, it would now officially be the browser vendors's fault and not the designer.

                                                                                                                                                                                                                        • trilliumbaker 477 days ago
                                                                                                                                                                                                                          > Google's Good Intention were to support privacy

                                                                                                                                                                                                                          I find this intent for be very difficult to believe. Chrome's privacy policy[0] already lists a ton of information that Chrome sends to Google.

                                                                                                                                                                                                                          I am cynical and simply do not trust Google. I see this as a move for control rather than privacy.

                                                                                                                                                                                                                          0. https://www.google.com/chrome/privacy/

                                                                                                                                                                                                                        • JohnFen 477 days ago
                                                                                                                                                                                                                          Removing the user agent string is something that I've wished for for decades. While we're at it, the browser should not be revealing anything else about it or our machines at all unless we consent to it.
                                                                                                                                                                                                                          • EGreg 477 days ago
                                                                                                                                                                                                                            This is a terrible idea unless the better mechanism includes a way to determine at least basic things like whether this is a mobile browser! Determined web developers will still be able to detect the browser using Javascript and send the info to the server. And meanwhile, we won’t be able to send resources optimized for eg mobile browsers vs desktop ones. Now we have to ship lots of crap from the server and hope JS is enabled to load the minimum. The whole deprecation movement has to stop breaking the web for activist reasons.
                                                                                                                                                                                                                            • zzo38computer 477 days ago
                                                                                                                                                                                                                              The resource optimization is mostly needed only due to making stuff too complicated already. Simplify the document and then it should just as well either way.
                                                                                                                                                                                                                            • superkuh 477 days ago
                                                                                                                                                                                                                              I can see why the commercial web interests would want to get rid of user-agent strings. But to non-corporate persons, at least to techies, they're very useful and fun things. It's just text too so it's easy to deal with. Adopting some complex standard in javascript to replace it is no replacement.
                                                                                                                                                                                                                              • jmurda 477 days ago
                                                                                                                                                                                                                                There is a live demo of client hints https://browserleaks.com/client-hints I don't see how this should reduce fingerprinting if all sites start sending accept-ch headers by default
                                                                                                                                                                                                                                • dochtman 477 days ago
                                                                                                                                                                                                                                  Quite happy that the market leader is taking this step! Hopefully this will decrease the problems with lacking feature detection.

                                                                                                                                                                                                                                  I was surprised that the post doesn't contain any example user agent strings for a sample of how they are expected to look starting from the different milestones.

                                                                                                                                                                                                                                  • close04 478 days ago
                                                                                                                                                                                                                                    > It provides the required information only when the server requests it

                                                                                                                                                                                                                                    In the interest of fingerprinting a server would request this every time.

                                                                                                                                                                                                                                    > It provides the information in small increments, so servers are only exposed to the information they need and request

                                                                                                                                                                                                                                    Then the server would need and request the most comprehensive list possible in order to fingerprint someone with better granularity than a UA string could.

                                                                                                                                                                                                                                    I'm not against this as I appreciate the value of this kind on information for the developers. It would be done one way or another. But why is this billed as mainly a privacy move? Nothing suggests it intrinsically offers better privacy when facing a website configured to fingerprint you. It actually looks like it gives even more granular info over which the user has less control than they used to with the UA.

                                                                                                                                                                                                                                    • sergeykish 477 days ago
                                                                                                                                                                                                                                      How much of the web depends on User Agent header?

                                                                                                                                                                                                                                      Maybe it can be removed altogether with small whitelist of exceptions.

                                                                                                                                                                                                                                          general.useragent.override, String, leave empty
                                                                                                                                                                                                                                      Looks fine so far
                                                                                                                                                                                                                                      • TheGoddessInari 476 days ago
                                                                                                                                                                                                                                        This is rich coming from Google, which this week started blocking access to Gmail based on a client's user agent!
                                                                                                                                                                                                                                        • smashah 477 days ago
                                                                                                                                                                                                                                          Is this going to make spoofing UA harder/redundant? If so it's bad news for a lot of projects.
                                                                                                                                                                                                                                          • darrinm 477 days ago
                                                                                                                                                                                                                                            How will this affect caniuse.com? I use it every day.
                                                                                                                                                                                                                                            • josteink 477 days ago
                                                                                                                                                                                                                                              Ok. So how do we do OS detection then?

                                                                                                                                                                                                                                              How do I know which (binary) download to offer my users?

                                                                                                                                                                                                                                              Edit: How do I provide reasonable defaults when the user’s OS actually matters?

                                                                                                                                                                                                                                              • zzzcpan 477 days ago
                                                                                                                                                                                                                                                Don't. That's an anti-pattern in UX. People download binaries for different OSes all the time, so list links for all OSes you support.
                                                                                                                                                                                                                                                • josteink 477 days ago
                                                                                                                                                                                                                                                  Giving people a reasonable default is bad UX?

                                                                                                                                                                                                                                                  That’s a load of horseshit if I’ve ever heard it.

                                                                                                                                                                                                                                                  • abjKT26nO8 477 days ago
                                                                                                                                                                                                                                                    Websites presenting me with a big button to download a "reasonable" default and hiding everything else behind a small link that I have to go hunting gor is really annoying. There is nothing reasonable about it. Don't think that you know better what your users want then the users themselves.
                                                                                                                                                                                                                                                    • josteink 477 days ago
                                                                                                                                                                                                                                                      Optimizing for the 99% use-case is fairly normal and reasonable.

                                                                                                                                                                                                                                                      iOS users will almost always install apps via the AppStore. Most Windows-users are probably not interested in a DMG. Are you really going to argue against that?

                                                                                                                                                                                                                                                      I agree that taking away options based on OS-detection is a seriously nasty UX anti-pattern though.

                                                                                                                                                                                                                                                      • abjKT26nO8 477 days ago
                                                                                                                                                                                                                                                        > iOS users will almost always install apps via the AppStore. Most Windows-users are probably not interested in a DMG. Are you really going to argue against that?

                                                                                                                                                                                                                                                        It may be true in the case of iOS and Android, because they are so locked down. However, on more powerful platforms that Windows, Mac and Linux are it isn't. I may want to run it in a VM, or not install it, but place it somewhere on a shared drive, or anything that a non-handicapped OS is capable of facilitating and many of these things will mean I will want a binary not meant to be run by my native OS. Sometimes it happens that one of my devices will break and so I want to use another one to download something that will help me fix the issue. But now I'm going to have to go full Sherlock Holmes on a website that thinks it knows better what I'm looking for.

                                                                                                                                                                                                                                                        • AgloeDreams 477 days ago
                                                                                                                                                                                                                                                          In fairness, highlighting the right button for your OS and showing an 'other downloads' button is really a 'You' problem that probably only affects less than half of 1% of users. Almost all sites also show a 'other OS downloads' button. But this is all meaningless, as shown above, UA will be replaced by a client hint property.
                                                                                                                                                                                                                                                    • zzzcpan 477 days ago
                                                                                                                                                                                                                                                      What reasonable default? You don't know where people want to install your binaries and you do want people to know what other OSes you support. In UX if the number of choices is very small, like those couple of OSes you support, it is always best to present them all.
                                                                                                                                                                                                                                                      • josteink 477 days ago
                                                                                                                                                                                                                                                        Every major player provides the reasonable default when downloading binaries. Every single one. There’s a reason for that.

                                                                                                                                                                                                                                                        Regular users are not technical and if you ask them to make a choice based on technical matters (Windows, MAC, Linux, Apple AppStore, Android AppStore, Chrone WebStore, whatever), where you instead could have had -1 clear choice- already presented by default in a big nice button, you will lose conversions or increase tech-support costs.

                                                                                                                                                                                                                                                        The evidence for this is so overwhelming that knowingly trying to ignore that makes it look like you have an agenda or horse to grind.

                                                                                                                                                                                                                                                        • londons_explore 477 days ago
                                                                                                                                                                                                                                                          A good chunk of users don't know what OS they're running.

                                                                                                                                                                                                                                                          Perhaps you should propose a feature detection for it. It could look like the media source API for resolutions and formats for web video - except the same for binary formats for software.

                                                                                                                                                                                                                                                          • zzzcpan 477 days ago
                                                                                                                                                                                                                                                            No, these are not UX metrics, these are commercial metrics. There is a reason conversions and tech-support costs and almost all a/b tests and all that are not even remotely good UX metrics, as they do not exist to measure anything users care about in the product, only what companies care about.
                                                                                                                                                                                                                                                            • josteink 477 days ago
                                                                                                                                                                                                                                                              Okay.so let’s hypothetically say I buy your argument that providing a reasonable default is bad UX.

                                                                                                                                                                                                                                                              In what other places of application development should we also stop providing reasonable defaults and force the user to choose instead?

                                                                                                                                                                                                                                                              - country? city?

                                                                                                                                                                                                                                                              - localization?

                                                                                                                                                                                                                                                              - number for local support hotline?

                                                                                                                                                                                                                                                              - email of logged in user?

                                                                                                                                                                                                                                                              - type of currency for payments?

                                                                                                                                                                                                                                                              No? Then why is having a reasonable default for downloads bad?

                                                                                                                                                                                                                                                              • zzo38computer 477 days ago
                                                                                                                                                                                                                                                                My "WebOptions" idea would permit the user to customize these and other settings (both globally and locally; there could be some set of "common" keys as well as supporting keys specific for the server), in a similar format to cookies, although the server and document scripts would not be allowed to set them, and the user only sets them explicitly. For email, there is a "From" header, so that can be used if it is available.

                                                                                                                                                                                                                                                                But anyways, the service should not make it difficult to download if it detects a wrong computer; it should allow it always, and should not be so difficult by trying to hide it.

                                                                                                                                                                                                                                                    • b99andla 477 days ago
                                                                                                                                                                                                                                                    • ronancremin 477 days ago
                                                                                                                                                                                                                                                      The irony of Google purporting to protect users' privacy while at the same time:

                                                                                                                                                                                                                                                      - Chrome is still shipping with 3rd party cookies turned on by default (Safari and Firefox have them off, by default)

                                                                                                                                                                                                                                                      - Chrome usage stats are sent to Google including button clicks. This is admitted in the Chrome privacy policy.

                                                                                                                                                                                                                                                      - Chrome on mobile automatically shares your location with your default search engine i.e. Google

                                                                                                                                                                                                                                                      - Chrome sort of forces a login …which shares browser and user details history with Google

                                                                                                                                                                                                                                                      - Google redirects logins through the youtube.com domain to enable them to set a cookie for YouTube as well as Gmail or whatever, every time you login. Naughty stuff.

                                                                                                                                                                                                                                                      So the stated reason for the change doesn't appear to make sense, suggesting that something else is going on.

                                                                                                                                                                                                                                                      It amazes me that more people aren't calling Google out on this.

                                                                                                                                                                                                                                                      • czardoz 477 days ago
                                                                                                                                                                                                                                                        > So the stated reason for the change doesn't appear to make sense, suggesting that something else is going on.

                                                                                                                                                                                                                                                        That's unsubstantiated and dilutes the discussion IMO. If you read the post, the proposal outlines a bunch of good reasons to stop supporting UA strings (feature detection, etc)

                                                                                                                                                                                                                                                        • jasonvorhe 477 days ago
                                                                                                                                                                                                                                                          > - Chrome sort of forces a login …which shares browser and user details history with Google

                                                                                                                                                                                                                                                          This doesn't get more true by just repeating it over and over. If you login to Google it'll show up in Chrome next to the address bar but it doesn't enable any syncing to Google servers. That's a different step and it requires opt-in. You can also use Chrome without logging in to any Google services.

                                                                                                                                                                                                                                                          I don't get why privacy advocates, who often have a point when talking about Google, have to rely on FUD.

                                                                                                                                                                                                                                                          • techntoke 477 days ago
                                                                                                                                                                                                                                                            Because most of the negative attention that Chromium receives is FUD by people that rely on feelings and not facts.
                                                                                                                                                                                                                                                            • allovernow 477 days ago
                                                                                                                                                                                                                                                              Invasion of privacy is a valid and serious concern. The fact is that Google is collecting sensitive information semi-consensually and semi-transparently and arguably shouldn't be.
                                                                                                                                                                                                                                                              • samantohermes 477 days ago
                                                                                                                                                                                                                                                                Mostly by Firefox fanboys, who don't see that Firefox has been turned into a Chrome copycat with built-in blocklists and TBB features.
                                                                                                                                                                                                                                                              • scarejunba 477 days ago
                                                                                                                                                                                                                                                                Because let's be honest, most "privacy advocates" on HN are trying to be purer than the other guy. Ideological purity is what they're after, not privacy.
                                                                                                                                                                                                                                                              • geofft 477 days ago
                                                                                                                                                                                                                                                                Chrome also announced today a plan to get rid of third-party cookies: https://blog.chromium.org/2020/01/building-more-private-web-... And in fairness to them, Firefox and Safari's changes are very recent.

                                                                                                                                                                                                                                                                Anyway, Google is a big company. Different teams have different priorities. Does the US government care about privacy? Depends - at the very least - whether you're the NSA or the FTC. Given the many signs in the past that parts of Google are willing to fight other parts of Google they disagree with, I think a better strategy for us as the community is to call the Chrome team out, specifically, on things under their control and otherwise not be excessive cynical about the fact that they along a hundred thousand other people work for Google, and some of those other people are bad.

                                                                                                                                                                                                                                                                (Automatic login to Google is a think I think we should call them out for, to be clear.)

                                                                                                                                                                                                                                                                • ronancremin 477 days ago
                                                                                                                                                                                                                                                                  I agree that the Firefox change is recent, but not Safari. Safari has had 3rd party cookies disabled for many years now.
                                                                                                                                                                                                                                                                • traek 477 days ago
                                                                                                                                                                                                                                                                  It’s pretty silly to claim that the (admittedly bad) privacy policies of Google, or even Chrome, as a whole means it “doesn’t make sense” for any team within Google to advance a pro-privacy or pro-WWW project.

                                                                                                                                                                                                                                                                  This all-or-nothing mindset ends up harming privacy in practice.

                                                                                                                                                                                                                                                                  • shadowgovt 477 days ago
                                                                                                                                                                                                                                                                    Blink is Chromium's rendering engine. It's separate from Chrome the browser application vended by Google.
                                                                                                                                                                                                                                                                    • glogla 477 days ago
                                                                                                                                                                                                                                                                      Google is not protecting its users privacy, it is protecting their own business. They want everyone's ads to be worse than Google's, so you use Google. Hiding private data from everyone but themselves is part of the plan.
                                                                                                                                                                                                                                                                      • HorstG 477 days ago
                                                                                                                                                                                                                                                                        Exactly. That is also why "logging in to Chrome" or rather Google is such an insidious misfeature. Soon they will be the only ones with cross-site tracking and third-party-cookie equvalents in the leading browser.

                                                                                                                                                                                                                                                                        That would be check mate for all other advertisers.

                                                                                                                                                                                                                                                                        I'm just not sure whether it's good or bad that antitrust regulators won't notice before it's too late.

                                                                                                                                                                                                                                                                        • JohnFen 477 days ago
                                                                                                                                                                                                                                                                          I think that you're right. Regardless, these moves (as weak as they are so far) are beneficial for privacy in general.

                                                                                                                                                                                                                                                                          I'll take that benefit even if it tilts the advertising table in favor of Google. I don't care even a little about the overall health of the advertising/marketing industry.

                                                                                                                                                                                                                                                                        • Ghjklov 477 days ago
                                                                                                                                                                                                                                                                          From my experience, I always needed to explicitly change Firefox setting to disable 3rd party cookies on a fresh install.
                                                                                                                                                                                                                                                                          • dawnerd 477 days ago
                                                                                                                                                                                                                                                                            I don’t know if google redirecting their logins through YouTube and gmail are as bad as you make it out to be.
                                                                                                                                                                                                                                                                            • dhimes 477 days ago
                                                                                                                                                                                                                                                                              - Chrome on mobile automatically shares your location with your default search engine i.e. Google

                                                                                                                                                                                                                                                                              Holy fuck!

                                                                                                                                                                                                                                                                            • dangerface 477 days ago
                                                                                                                                                                                                                                                                              This is a backwards step, I get the user agent is revealing things it has no right to like os, but not all browsers are made equal I need to know what its capable of.
                                                                                                                                                                                                                                                                              • AgloeDreams 477 days ago
                                                                                                                                                                                                                                                                                They are adding a property for this. A browser will expose a bunch of 'I Support this' flags and client hints rather than a browser version.