From webkit-dev Mon Nov 02 23:32:02 2020 From: Maciej Stachowiak Date: Mon, 02 Nov 2020 23:32:02 +0000 To: webkit-dev Subject: Re: [webkit-dev] User Agent Client Hints Message-Id: X-MARC-Message: https://marc.info/?l=webkit-dev&m=160436009227898 MIME-Version: 1 Content-Type: multipart/mixed; boundary="--===============1907241640==" --===============1907241640== Content-type: multipart/alternative; boundary="Apple-Mail=_3CE54E71-70AE-4488-AF6A-E1BDDD8766AC" --Apple-Mail=_3CE54E71-70AE-4488-AF6A-E1BDDD8766AC Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Nov 2, 2020, at 8:56 AM, Yoav Weiss wrote: >=20 > Thanks for re-reviewing, Maciej! >=20 > Adding Mike Taylor, who's likely to take a closer look at this. >=20 > On Mon, Nov 2, 2020 at 2:17 AM Maciej Stachowiak > wrote: >=20 > I just did a fresh review of that spec and explainer. Thanks for = addressing many of the previous issues. This addresses many of the = potential objections. >=20 > Here=E2=80=99s the new issues I filed: >=20 > https://github.com/WICG/ua-client-hints/issues/141 = > https://github.com/WICG/ua-client-hints/issues/142 = > https://github.com/WICG/ua-client-hints/issues/143 = > https://github.com/WICG/ua-client-hints/issues/144 = > https://github.com/WICG/ua-client-hints/issues/145 = > https://github.com/WICG/ua-client-hints/issues/146 = > https://github.com/WICG/ua-client-hints/issues/147 = > https://github.com/WICG/ua-client-hints/issues/148 = > https://github.com/WICG/ua-client-hints/issues/149 = > https://github.com/WICG/ua-client-hints/issues/150 = > https://github.com/WICG/ua-client-hints/issues/151 = >=20 >=20 > Thanks for filing those! We'll take a look and respond shortly. > =20 > Most of these are minor/editorial, but I think 151 is potentially a = deal-breaker. I may be misreading the spec, but as written = getHighEntropyValues seems to give access to all of the high entropy = client hints to third-party scripts in the first party context, and = scripts running in third-party iframes, regardless of which ones the = site has opted into via the relevant HTTP header.=20 >=20 > That's indeed the case, as we didn't consider the Client Hints opt-in = to be something that impacts the availability of the JS API. (as it = doesn't do that for other hints) We=E2=80=99re currently deeply skeptical of implementing any of the = other client hints due to their expansion of fingerprinting surface, so = I don=E2=80=99t feel particularly compelled by that precedent. That = said, it=E2=80=99s likely the other client hints have this same problem, = where they expose fingerprinting surface way more widely than they may = be intending to. > That would be a huge problem, as it would grant a lot of active = fingerprinting surface unnecessarily=20 >=20 > We did discuss = = adding a Feature Policy (now Permission Policy) to that effect. Would = that help with your concerns? My understanding is that feature policy applies at the frame level, and = therefore could not be used to control what happens when a third-party = script in a first party context calls the API. Even for third-party = iframes, it seems like Feature Policy could only default-deny this JS = API entirely, and would not be able to filter the results down to the = set delegated via HTTP headers (or otherwise). Maybe you intend a = feature policy per individual high entropy hint, but first of all that = seems like overkill, and second, the spec is clearly not written to = support such filtering. So no, it would not address the concerns. I think the best approach is to limit the hints to those opted into (or, = in case of a third-party frame, delegated). That or remove the script = API entirely. The origin-based delegation model that works well at the = HTTP level is not well aligned with the widespread practice of including = third-party scripts in the top frame. The spec does not eve allow denying the request entirely as written. A = non-normative Note suggests that is allowed, but I can=E2=80=99t find = any step in the algorithm that would ever reject the promise. > =20 > (perhaps even expanding beyond what is currently possible with the UA = string). >=20 > Can you expand on that last point? I mean that the client hints might include info that is not in the UA = sting (possibly not at all, or possibly frozen in UA string but could be = unfrozen in the client hints). > =20 >=20 > Regards, > Maciej >=20 >=20 >> On Oct 27, 2020, at 12:35 AM, Yoav Weiss > wrote: >>=20 >> Yet-another ping! :) >>=20 >> On Wed, Oct 7, 2020 at 8:23 AM Yoav Weiss > wrote: >> Friendly ping! :) >>=20 >> On Wed, Sep 30, 2020 at 9:29 AM Yoav Weiss > wrote: >> Hi WebKit folks, >>=20 >> Circling back on the previous discussion = = about User-Agent ClientHint. The feature was implemented in Chromium and = is being rolled out in Chrome. >>=20 >> There were some concerns mentioned in the previous thread, that we = believe were since addressed. Would the feature be something that WebKit = would consider shipping?=20 >>=20 >> Cheers :) >> Yoav >> _______________________________________________ >> webkit-dev mailing list >> webkit-dev@lists.webkit.org >> https://lists.webkit.org/mailman/listinfo/webkit-dev = --Apple-Mail=_3CE54E71-70AE-4488-AF6A-E1BDDD8766AC Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

On Nov 2, 2020, at 8:56 AM, Yoav Weiss <yoav@yoav.ws> = wrote:

Thanks for re-reviewing, Maciej!

Adding Mike Taylor, = who's likely to take a closer look at this.

On Mon, Nov = 2, 2020 at 2:17 AM Maciej Stachowiak <mjs@apple.com> wrote:

I just did = a fresh review of that spec and explainer. Thanks for addressing many of = the previous issues. This addresses many of the potential = objections.

Here=E2=80= =99s the new issues I filed:

https://github.com/WICG/ua-client-hints/issues/141
https://github.com/WICG/ua-client-hints/issues/142
https://github.com/WICG/ua-client-hints/issues/143
https://github.com/WICG/ua-client-hints/issues/144
https://github.com/WICG/ua-client-hints/issues/145
https://github.com/WICG/ua-client-hints/issues/146
https://github.com/WICG/ua-client-hints/issues/147
https://github.com/WICG/ua-client-hints/issues/148
https://github.com/WICG/ua-client-hints/issues/149
https://github.com/WICG/ua-client-hints/issues/150
https://github.com/WICG/ua-client-hints/issues/151


Thanks for filing those! We'll take a = look and respond shortly.
 
Most of these are minor/editorial, but I = think 151 is potentially a deal-breaker. I may be misreading the spec, = but as written getHighEntropyValues seems to give access to all of = the high entropy client hints to third-party scripts in the first party = context, and scripts running in third-party iframes, regardless of which = ones the site has opted into via the relevant HTTP header. 

That's = indeed the case, as we didn't consider the Client Hints opt-in to be = something that impacts the availability of the JS API. (as it doesn't do = that for other hints)

We=E2=80=99re currently deeply skeptical of = implementing any of the other client hints due to their expansion of = fingerprinting surface, so I don=E2=80=99t feel particularly compelled = by that precedent. That said, it=E2=80=99s likely the other client hints = have this same problem, where they expose fingerprinting surface way = more widely than they may be intending to.

That would be a huge problem, as it would = grant a lot of active fingerprinting surface unnecessarily 

We = did discuss adding a Feature Policy (now = Permission Policy) to that effect. Would that help with your = concerns?

My understanding is that feature policy applies at = the frame level, and therefore could not be used to control what happens = when a third-party script in a first party context calls the API. Even = for third-party iframes, it seems like Feature Policy could only = default-deny this JS API entirely, and would not be able to filter the = results down to the set delegated via HTTP headers (or otherwise). Maybe = you intend a feature policy per individual high entropy hint, but first = of all that seems like overkill, and second, the spec is clearly not = written to support such filtering.

So = no, it would not address the concerns.

I think the best approach is to limit the hints to = those opted into (or, in case of a third-party frame, delegated). That = or remove the script API entirely. The origin-based delegation model = that works well at the HTTP level is not well aligned with the = widespread practice of including third-party scripts in the top = frame.

The spec does not eve allow = denying the request entirely as written. A non-normative Note suggests = that is allowed, but I can=E2=80=99t find any step in the algorithm that = would ever reject the promise.

 
(perhaps even expanding beyond what is = currently possible with the UA = string).

Can you expand on that last = point?

I mean that the client hints might include info = that is not in the UA sting (possibly not at all, or possibly frozen in = UA string but could be unfrozen in the client hints).

 

Regards,
Maciej


On Oct 27, 2020, at 12:35 AM, Yoav Weiss = <yoav@yoav.ws> wrote:

Yet-another ping! :)

On Wed, Oct 7, 2020 at 8:23 AM Yoav Weiss <yoav@yoav.ws> wrote:
Friendly ping! :)

On Wed, Sep = 30, 2020 at 9:29 AM Yoav Weiss <yoav@yoav.ws> wrote:
Hi WebKit folks,

Circling back on the previous discussion about User-Agent = ClientHint. The feature was implemented in Chromium and is being = rolled out in Chrome.

There were some = concerns mentioned in the previous thread, that we believe were since = addressed. Would the feature be something that WebKit would = consider shipping? 

Cheers :)
Yoav
_________= ______________________________________
webkit-dev mailing = list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev
<= /blockquote>
<= /blockquote>
= --Apple-Mail=_3CE54E71-70AE-4488-AF6A-E1BDDD8766AC-- --===============1907241640== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev --===============1907241640==--