
To enhance the privacy of its users and reduce the complexity of updating User-Agent strings, Google Chrome plans to move to a new system that web sites can use to identify information about their visitors.
When connecting to a web site, a browser will send a User-Agent string to the webserver that can be used to identify the name of the browser, its version, the operating system, and its rendering engine.
Web sites can use this browser information to determine what type of content they will send back or if their site even supports the browser.
As time has gone on and browsers have integrated various technology from other companies, User-Agent strings have become convoluted and unwieldy.
For example, below is the user-agent for Chrome 79.0.3945.117, which as you can see also includes confusing references to other browsers such as Safari and Mozilla.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Even worse, due to the specific information contained in them, User-Agents are a privacy risk as Google states they are commonly used by fingerprinter scripts to track users.
Google wants to freeze the User-Agent and switch to Client Hints
To increase the privacy of their users and still allow web sites to get information about a client, Chrome developer Yoav Weiss intends to move away from user-agent strings and instead adopt the HTTP specification called 'UA Client Hints'.
"The User-Agent string is an abundant source of passive fingerprinting information about our users. It contains many details about the user’s browser and device as well as many lies ("Mozilla/5.0", anyone?) that were or are needed for compatibility purposes, as servers grew reliant on bad User Agent sniffing.
On top of those privacy issues, User-Agent sniffing is an abundant source of compatibility issues, in particular for minority browsers, resulting in browsers lying about themselves (generally or to specific sites), and sites (including Google properties) being broken in some browsers for no good reason."
What Weiss proposes is to eventually freeze the User-Agent string of Google Chrome so that they always send the same string regardless of the browser's version.
For example, the Chrome Mobile User-Agent would be frozen at:
Mozilla/5.0 (Linux; Android 9; Unspecified Device) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.1.2222.33 Mobile Safari/537.36
The Chrome Desktop User-Agent would be frozen at:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.1.2222.33 Safari/537.36
When a user visits a web site, the request will contain the frozen UA string as well as a special 'Sec-UA' header that contains basic information about the client as shown below.
Sec-CH-UA: "Examplary Browser 73"
If a web site needs more than this basic information, they would request it in an 'opt-in' response header that asks for more detailed information such as the minor version and the operating system of the visitor.
This could be done via the following header request:
Accept-CH: UA, Platform
As the web site has not opted into this information being sent, the browser would respond on all subsequent requests with headers containing the requested information:
Sec-CH-UA: "Examplary Browser 73.3R8.2H.1"
Sec-CH-Platform: "Windows 10"
Ultimately, though, it will be up to the browser whether they will honor these requests for more information and what information is being sent to the website.
This means that if a request comes from a site that is known to be abusive, Google can decide not to send any further client information back to them.
To use Client Hints, a web site must first satisfy the following requirements:
- Server opt-ins must be delivered on a top-level navigation request, over a secure connection.
- Hints are only delivered with same-origin requests, over a secure connection.
- If the first party wants hints to be delivered to certain third-party hosts, the first-party can explicitly delegate specific hints to specific hostnames.
- Hints are
Sec-prefixed, to provide servers with more confidence regarding the values they deliver, as well as to avoid legacy server bugs.
As part of this plan, Google hopes to remove access to the navigator.userAgent JavaScript property in Chrome 81, freeze the browser's User-Agent string in Chrome 83, and unify all desktop and mobile versions to the same string in Chrome 85.
|
Milestone |
Stable date |
Action |
|
M81 |
Mid March ‘20 |
Deprecate access to `navigator.userAgent` |
|
M83 |
Early June ‘20 |
Freeze browser version and unify OS versions |
|
M85 |
Mid September ‘20 |
Unify desktop OS string as a common value for desktop browsers. Unify mobile OS/device strings as a similarly common value for those at M85 (*) |
Other vendors, such as Microsoft and Mozilla, have indicated that they support this change, while Safari already froze their UA string to some degree other than operating system version changes.
Concerns about using Client Hints
Switching to Client Hints as a method for web sites to gain information about a client appears to be a good idea but does have some issues.
As Client Hints will only be usable by the top-level navigation request, third-parties scripts that require User-Agent information will need to work with websites to receive this information.
Furthermore, as the browser does not send detailed information about the client in the first request, there will be a delay in getting detailed information for sites that need it.

Comments
Pointless_noise - 3 years ago
Google blocks access to some of its services based on browser user-agents of competitors and put up a message saying to use Chrome.
Competitors start spoofing user-agent info to bypass these unfair blocks.
Google now says user-agents need to change.
RatMan29 - 3 years ago
Nothing Google does can be trusted as protecting its users' privacy. Google is second only to Facebook as a gatherer and misuser of our private information.
I only ever use Chrome if better browsers such as Brave won't work on a particular site.