Chrome

To enhance the privacy of its users and reduce the complexity of updating User-Agent strings, Google Chrome plans to move to a new system that web sites can use to identify information about their visitors.

When connecting to a web site, a browser will send a User-Agent string to the webserver that can be used to identify the name of the browser, its version, the operating system, and its rendering engine.

Web sites can use this browser information to determine what type of content they will send back or if their site even supports the browser.

As time has gone on and browsers have integrated various technology from other companies, User-Agent strings have become convoluted and unwieldy.

For example, below is the user-agent for Chrome 79.0.3945.117, which as you can see also includes confusing references to other browsers such as Safari and Mozilla.

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36

Even worse, due to the specific information contained in them, User-Agents are a privacy risk as Google states they are commonly used by fingerprinter scripts to track users.

Google wants to freeze the User-Agent and switch to Client Hints

To increase the privacy of their users and still allow web sites to get information about a client, Chrome developer Yoav Weiss intends to move away from user-agent strings and instead adopt the HTTP specification called 'UA Client Hints'.

"The User-Agent string is an abundant source of passive fingerprinting information about our users. It contains many details about the user’s browser and device as well as many lies ("Mozilla/5.0", anyone?) that were or are needed for compatibility purposes, as servers grew reliant on bad User Agent sniffing.

On top of those privacy issues, User-Agent sniffing is an abundant source of compatibility issues, in particular for minority browsers, resulting in browsers lying about themselves (generally or to specific sites), and sites (including Google properties) being broken in some browsers for no good reason."

What Weiss proposes is to eventually freeze the User-Agent string of Google Chrome so that they always send the same string regardless of the browser's version.

For example, the Chrome Mobile User-Agent would be frozen at:

Mozilla/5.0 (Linux; Android 9; Unspecified Device) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.1.2222.33 Mobile Safari/537.36

The Chrome Desktop User-Agent would be frozen at:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.1.2222.33 Safari/537.36

When a user visits a web site, the request will contain the frozen UA string as well as a special 'Sec-UA' header that contains basic information about the client as shown below.

Sec-CH-UA: "Examplary Browser 73"

If a web site needs more than this basic information, they would request it in an 'opt-in' response header that asks for more detailed information such as the minor version and the operating system of the visitor.

This could be done via the following header request:

Accept-CH: UA, Platform

As the web site has not opted into this information being sent, the browser would respond on all subsequent requests with headers containing the requested information:

Sec-CH-UA: "Examplary Browser 73.3R8.2H.1"
Sec-CH-Platform: "Windows 10"

Ultimately, though, it will be up to the browser whether they will honor these requests for more information and what information is being sent to the website.

This means that if a request comes from a site that is known to be abusive, Google can decide not to send any further client information back to them.

To use Client Hints, a web site must first satisfy the following requirements:

  • Server opt-ins must be delivered on a top-level navigation request, over a secure connection.
  • Hints are only delivered with same-origin requests, over a secure connection.
  • If the first party wants hints to be delivered to certain third-party hosts, the first-party can explicitly delegate specific hints to specific hostnames.
  • Hints are Sec- prefixed, to provide servers with more confidence regarding the values they deliver, as well as to avoid legacy server bugs.

As part of this plan, Google hopes to remove access to the navigator.userAgent JavaScript property in Chrome 81, freeze the browser's User-Agent string in Chrome 83, and unify all desktop and mobile versions to the same string in Chrome 85. 

Milestone

Stable date

Action

M81

Mid March ‘20

Deprecate access to `navigator.userAgent` 

M83

Early June ‘20

Freeze browser version and unify OS versions

M85

Mid September ‘20

Unify desktop OS string as a common value for desktop browsers.

Unify mobile OS/device strings as a similarly common value for those at M85 (*)

Other vendors, such as Microsoft and Mozilla, have indicated that they support this change, while Safari already froze their UA string to some degree other than operating system version changes.

Concerns about using Client Hints

Switching to Client Hints as a method for web sites to gain information about a client appears to be a good idea but does have some issues.

As Client Hints will only be usable by the top-level navigation request, third-parties scripts that require User-Agent information will need to work with websites to receive this information.

Furthermore, as the browser does not send detailed information about the client in the first request, there will be a delay in getting detailed information for sites that need it.

Related Articles:

Google Chrome to warn when installed extensions are malware

Google makes passkeys the default sign-in for personal accounts

Google adds passkeys support for passwordless sign-in on all accounts

Google Chrome's organize tabs will automatically reorder tabs

Google to bolster phishing and malware delivery defenses in 2024