[prev in list] [next in list] [prev in thread] [next in thread]
List: webkit-dev
Subject: Re: [webkit-dev] User Agent Client Hints
From: Maciej Stachowiak <mjs () apple ! com>
Date: 2020-11-02 23:32:02
Message-ID: B1BEEDDA-70F8-4DB1-989D-FA7F04270D0A () apple ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
> On Nov 2, 2020, at 8:56 AM, Yoav Weiss <yoav@yoav.ws> wrote:
>
> Thanks for re-reviewing, Maciej!
>
> Adding Mike Taylor, who's likely to take a closer look at this.
>
> On Mon, Nov 2, 2020 at 2:17 AM Maciej Stachowiak <mjs@apple.com \
> <mailto:mjs@apple.com>> wrote:
> I just did a fresh review of that spec and explainer. Thanks for \
> addressing many of the previous issues. This addresses many of the \
> potential objections.
> Here's the new issues I filed:
>
> https://github.com/WICG/ua-client-hints/issues/141 \
> <https://github.com/WICG/ua-client-hints/issues/141> \
> https://github.com/WICG/ua-client-hints/issues/142 \
> <https://github.com/WICG/ua-client-hints/issues/142> \
> https://github.com/WICG/ua-client-hints/issues/143 \
> <https://github.com/WICG/ua-client-hints/issues/143> \
> https://github.com/WICG/ua-client-hints/issues/144 \
> <https://github.com/WICG/ua-client-hints/issues/144> \
> https://github.com/WICG/ua-client-hints/issues/145 \
> <https://github.com/WICG/ua-client-hints/issues/145> \
> https://github.com/WICG/ua-client-hints/issues/146 \
> <https://github.com/WICG/ua-client-hints/issues/146> \
> https://github.com/WICG/ua-client-hints/issues/147 \
> <https://github.com/WICG/ua-client-hints/issues/147> \
> https://github.com/WICG/ua-client-hints/issues/148 \
> <https://github.com/WICG/ua-client-hints/issues/148> \
> https://github.com/WICG/ua-client-hints/issues/149 \
> <https://github.com/WICG/ua-client-hints/issues/149> \
> https://github.com/WICG/ua-client-hints/issues/150 \
> <https://github.com/WICG/ua-client-hints/issues/150> \
> https://github.com/WICG/ua-client-hints/issues/151 \
> <https://github.com/WICG/ua-client-hints/issues/151>
>
> Thanks for filing those! We'll take a look and respond shortly.
>
> Most of these are minor/editorial, but I think 151 is potentially a \
> deal-breaker. I may be misreading the spec, but as written \
> getHighEntropyValues seems to give access to all of the high entropy \
> client hints to third-party scripts in the first party context, and \
> scripts running in third-party iframes, regardless of which ones the site \
> has opted into via the relevant HTTP header.
> That's indeed the case, as we didn't consider the Client Hints opt-in to \
> be something that impacts the availability of the JS API. (as it doesn't \
> do that for other hints)
We're currently deeply skeptical of implementing any of the other client \
hints due to their expansion of fingerprinting surface, so I don't feel \
particularly compelled by that precedent. That said, it's likely the other \
client hints have this same problem, where they expose fingerprinting \
surface way more widely than they may be intending to.
> That would be a huge problem, as it would grant a lot of active \
> fingerprinting surface unnecessarily
> We did discuss <https://github.com/WICG/ua-client-hints/issues/37#issuecomment-576730548> \
> adding a Feature Policy (now Permission Policy) to that effect. Would \
> that help with your concerns?
My understanding is that feature policy applies at the frame level, and \
therefore could not be used to control what happens when a third-party \
script in a first party context calls the API. Even for third-party \
iframes, it seems like Feature Policy could only default-deny this JS API \
entirely, and would not be able to filter the results down to the set \
delegated via HTTP headers (or otherwise). Maybe you intend a feature \
policy per individual high entropy hint, but first of all that seems like \
overkill, and second, the spec is clearly not written to support such \
filtering.
So no, it would not address the concerns.
I think the best approach is to limit the hints to those opted into (or, in \
case of a third-party frame, delegated). That or remove the script API \
entirely. The origin-based delegation model that works well at the HTTP \
level is not well aligned with the widespread practice of including \
third-party scripts in the top frame.
The spec does not eve allow denying the request entirely as written. A \
non-normative Note suggests that is allowed, but I can't find any step in \
the algorithm that would ever reject the promise.
>
> (perhaps even expanding beyond what is currently possible with the UA \
> string).
> Can you expand on that last point?
I mean that the client hints might include info that is not in the UA sting \
(possibly not at all, or possibly frozen in UA string but could be unfrozen \
in the client hints).
>
>
> Regards,
> Maciej
>
>
> > On Oct 27, 2020, at 12:35 AM, Yoav Weiss <yoav@yoav.ws \
> > <mailto:yoav@yoav.ws>> wrote:
> > Yet-another ping! :)
> >
> > On Wed, Oct 7, 2020 at 8:23 AM Yoav Weiss <yoav@yoav.ws \
> > <mailto:yoav@yoav.ws>> wrote: Friendly ping! :)
> >
> > On Wed, Sep 30, 2020 at 9:29 AM Yoav Weiss <yoav@yoav.ws \
> > <mailto:yoav@yoav.ws>> wrote: Hi WebKit folks,
> >
> > Circling back on the previous discussion \
> > <https://lists.webkit.org/pipermail/webkit-dev/2020-May/031195.html> \
> > about User-Agent ClientHint. The feature was implemented in Chromium \
> > and is being rolled out in Chrome.
> > There were some concerns mentioned in the previous thread, that we \
> > believe were since addressed. Would the feature be something that \
> > WebKit would consider shipping?
> > Cheers :)
> > Yoav
> > _______________________________________________
> > webkit-dev mailing list
> > webkit-dev@lists.webkit.org <mailto:webkit-dev@lists.webkit.org>
> > https://lists.webkit.org/mailman/listinfo/webkit-dev \
> > <https://lists.webkit.org/mailman/listinfo/webkit-dev>
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html; \
charset=utf-8"></head><body style="word-wrap: break-word; \
-webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br \
class=""><div><br class=""><blockquote type="cite" class=""><div \
class="">On Nov 2, 2020, at 8:56 AM, Yoav Weiss <<a \
href="mailto:yoav@yoav.ws" class="">yoav@yoav.ws</a>> wrote:</div><br \
class="Apple-interchange-newline"><div class=""><meta charset="UTF-8" \
class=""><div dir="ltr" style="caret-color: rgb(0, 0, 0); font-family: \
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; word-spacing: \
0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><div \
dir="ltr" class=""><div class="">Thanks for re-reviewing, Maciej!<br \
class=""></div><div class=""><br class=""></div><div class="">Adding Mike \
Taylor, who's likely to take a closer look at this.</div></div><br \
class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, \
Nov 2, 2020 at 2:17 AM Maciej Stachowiak <<a href="mailto:mjs@apple.com" \
class="">mjs@apple.com</a>> wrote:<br class=""></div><blockquote \
class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: \
1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); \
padding-left: 1ex;"><div style="overflow-wrap: break-word;" class=""><div \
class=""><br class=""></div>I just did a fresh review of that spec and \
explainer. Thanks for addressing many of the previous issues. This \
addresses many of the potential objections.<div class=""><br \
class=""></div><div class="">Here's the new issues I filed:<br \
class=""><div class=""><br class=""></div><div class=""><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/141" target="_blank" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: \
none; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", \
Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI \
Emoji"; font-size: 14px;" \
class="">https://github.com/WICG/ua-client-hints/issues/141</a><br \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: \
-apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, \
sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;" class=""><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/142" target="_blank" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: \
none; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", \
Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI \
Emoji"; font-size: 14px;" \
class="">https://github.com/WICG/ua-client-hints/issues/142</a><br \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: \
-apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, \
sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;" class=""><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/143" target="_blank" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: \
none; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", \
Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI \
Emoji"; font-size: 14px;" \
class="">https://github.com/WICG/ua-client-hints/issues/143</a><br \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: \
-apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, \
sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;" class=""><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/144" target="_blank" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: \
none; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", \
Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI \
Emoji"; font-size: 14px;" \
class="">https://github.com/WICG/ua-client-hints/issues/144</a><br \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: \
-apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, \
sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;" class=""><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/145" target="_blank" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: \
none; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", \
Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI \
Emoji"; font-size: 14px;" \
class="">https://github.com/WICG/ua-client-hints/issues/145</a><br \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: \
-apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, \
sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;" class=""><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/146" target="_blank" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: \
none; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", \
Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI \
Emoji"; font-size: 14px;" \
class="">https://github.com/WICG/ua-client-hints/issues/146</a><br \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: \
-apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, \
sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;" class=""><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/147" target="_blank" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: \
none; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", \
Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI \
Emoji"; font-size: 14px;" \
class="">https://github.com/WICG/ua-client-hints/issues/147</a><br \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: \
-apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, \
sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;" class=""><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/148" target="_blank" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: \
none; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", \
Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI \
Emoji"; font-size: 14px;" \
class="">https://github.com/WICG/ua-client-hints/issues/148</a><br \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: \
-apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, \
sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;" class=""><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/149" target="_blank" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: \
none; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", \
Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI \
Emoji"; font-size: 14px;" \
class="">https://github.com/WICG/ua-client-hints/issues/149</a><br \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: \
-apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, \
sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;" class=""><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/150" target="_blank" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: \
none; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", \
Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI \
Emoji"; font-size: 14px;" \
class="">https://github.com/WICG/ua-client-hints/issues/150</a><br \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: \
-apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, \
sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;" class=""><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/151" target="_blank" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: \
none; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", \
Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI \
Emoji"; font-size: 14px;" \
class="">https://github.com/WICG/ua-client-hints/issues/151</a><br \
class=""><div class=""><br \
class=""></div></div></div></div></blockquote><div class=""><br \
class=""></div><div class="">Thanks for filing those! We'll take a look and \
respond shortly.</div><div class=""> </div><blockquote \
class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: \
1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); \
padding-left: 1ex;"><div style="overflow-wrap: break-word;" class=""><div \
class=""><div class=""><div class=""><div class="">Most of these are \
minor/editorial, but I think 151 is potentially a deal-breaker. I may be \
misreading the spec, but as written getHighEntropyValues seems to give \
access to all of the high entropy client hints to third-party scripts in \
the first party context, and scripts running in third-party iframes, \
regardless of which ones the site has opted into via the relevant HTTP \
header.<span class="Apple-converted-space"> </span></div></div></div></div></div></blockquote><div \
class=""><br class=""></div><div class="">That's indeed the case, as we \
didn't consider the Client Hints opt-in to be something that impacts the \
availability of the JS API. (as it doesn't do that for other \
hints)</div></div></div></div></blockquote><div><br \
class=""></div><div>We're currently deeply skeptical of implementing any of \
the other client hints due to their expansion of fingerprinting surface, so \
I don't feel particularly compelled by that precedent. That said, it's \
likely the other client hints have this same problem, where they expose \
fingerprinting surface way more widely than they may be intending \
to.</div><br class=""><blockquote type="cite" class=""><div class=""><div \
dir="ltr" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; \
font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; \
text-indent: 0px; text-transform: none; white-space: normal; word-spacing: \
0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><div \
class="gmail_quote"><div class=""></div><blockquote class="gmail_quote" \
style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; \
border-left-style: solid; border-left-color: rgb(204, 204, 204); \
padding-left: 1ex;"><div style="overflow-wrap: break-word;" class=""><div \
class=""><div class=""><div class=""><div class="">That would be a huge \
problem, as it would grant a lot of active fingerprinting surface \
unnecessarily<span class="Apple-converted-space"> </span></div></div></div></div></div></blockquote><div \
class=""><br class=""></div><div class="">We did<span \
class="Apple-converted-space"> </span><a \
href="https://github.com/WICG/ua-client-hints/issues/37#issuecomment-576730548" \
class="">discuss</a> adding a Feature Policy (now Permission Policy) \
to that effect. Would that help with your \
concerns?</div></div></div></div></blockquote><div><br \
class=""></div><div>My understanding is that feature policy applies at the \
frame level, and therefore could not be used to control what happens when a \
third-party script in a first party context calls the API. Even for \
third-party iframes, it seems like Feature Policy could only default-deny \
this JS API entirely, and would not be able to filter the results down to \
the set delegated via HTTP headers (or otherwise). Maybe you intend a \
feature policy per individual high entropy hint, but first of all that \
seems like overkill, and second, the spec is clearly not written to support \
such filtering.</div><div><br class=""></div><div>So no, it would not \
address the concerns.</div><div><br class=""></div><div>I think the best \
approach is to limit the hints to those opted into (or, in case of a \
third-party frame, delegated). That or remove the script API entirely. The \
origin-based delegation model that works well at the HTTP level is not well \
aligned with the widespread practice of including third-party scripts in \
the top frame.</div><div><br class=""></div><div>The spec does not eve \
allow denying the request entirely as written. A non-normative Note \
suggests that is allowed, but I can't find any step in the algorithm that \
would ever reject the promise.</div><div><br class=""></div><blockquote \
type="cite" class=""><div class=""><div dir="ltr" style="caret-color: \
rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; \
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; \
text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: \
none;" class=""><div class="gmail_quote"><div \
class=""> </div><blockquote class="gmail_quote" style="margin: 0px 0px \
0px 0.8ex; border-left-width: 1px; border-left-style: solid; \
border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div \
style="overflow-wrap: break-word;" class=""><div class=""><div \
_______________________________________________
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic