[prev in list] [next in list] [prev in thread] [next in thread]
List: webkit-dev
Subject: Re: [webkit-dev] User Agent Client Hints
From: Maciej Stachowiak <mjs () apple ! com>
Date: 2020-11-02 23:32:02
Message-ID: B1BEEDDA-70F8-4DB1-989D-FA7F04270D0A () apple ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
> On Nov 2, 2020, at 8:56 AM, Yoav Weiss <yoav@yoav.ws> wrote:
>
> Thanks for re-reviewing, Maciej!
>
> Adding Mike Taylor, who's likely to take a closer look at this.
>
> On Mon, Nov 2, 2020 at 2:17 AM Maciej Stachowiak <mjs@apple.com \
> <mailto:mjs@apple.com>> wrote:
> I just did a fresh review of that spec and explainer. Thanks for addressing many of \
> the previous issues. This addresses many of the potential objections.
> Here's the new issues I filed:
>
> https://github.com/WICG/ua-client-hints/issues/141 \
> <https://github.com/WICG/ua-client-hints/issues/141> \
> https://github.com/WICG/ua-client-hints/issues/142 \
> <https://github.com/WICG/ua-client-hints/issues/142> \
> https://github.com/WICG/ua-client-hints/issues/143 \
> <https://github.com/WICG/ua-client-hints/issues/143> \
> https://github.com/WICG/ua-client-hints/issues/144 \
> <https://github.com/WICG/ua-client-hints/issues/144> \
> https://github.com/WICG/ua-client-hints/issues/145 \
> <https://github.com/WICG/ua-client-hints/issues/145> \
> https://github.com/WICG/ua-client-hints/issues/146 \
> <https://github.com/WICG/ua-client-hints/issues/146> \
> https://github.com/WICG/ua-client-hints/issues/147 \
> <https://github.com/WICG/ua-client-hints/issues/147> \
> https://github.com/WICG/ua-client-hints/issues/148 \
> <https://github.com/WICG/ua-client-hints/issues/148> \
> https://github.com/WICG/ua-client-hints/issues/149 \
> <https://github.com/WICG/ua-client-hints/issues/149> \
> https://github.com/WICG/ua-client-hints/issues/150 \
> <https://github.com/WICG/ua-client-hints/issues/150> \
> https://github.com/WICG/ua-client-hints/issues/151 \
> <https://github.com/WICG/ua-client-hints/issues/151>
>
> Thanks for filing those! We'll take a look and respond shortly.
>
> Most of these are minor/editorial, but I think 151 is potentially a deal-breaker. I \
> may be misreading the spec, but as written getHighEntropyValues seems to give \
> access to all of the high entropy client hints to third-party scripts in the first \
> party context, and scripts running in third-party iframes, regardless of which ones \
> the site has opted into via the relevant HTTP header.
> That's indeed the case, as we didn't consider the Client Hints opt-in to be \
> something that impacts the availability of the JS API. (as it doesn't do that for \
> other hints)
We're currently deeply skeptical of implementing any of the other client hints due to \
their expansion of fingerprinting surface, so I don't feel particularly compelled by \
that precedent. That said, it's likely the other client hints have this same problem, \
where they expose fingerprinting surface way more widely than they may be intending \
to.
> That would be a huge problem, as it would grant a lot of active fingerprinting \
> surface unnecessarily
> We did discuss <https://github.com/WICG/ua-client-hints/issues/37#issuecomment-576730548> \
> adding a Feature Policy (now Permission Policy) to that effect. Would that help \
> with your concerns?
My understanding is that feature policy applies at the frame level, and therefore \
could not be used to control what happens when a third-party script in a first party \
context calls the API. Even for third-party iframes, it seems like Feature Policy \
could only default-deny this JS API entirely, and would not be able to filter the \
results down to the set delegated via HTTP headers (or otherwise). Maybe you intend a \
feature policy per individual high entropy hint, but first of all that seems like \
overkill, and second, the spec is clearly not written to support such filtering.
So no, it would not address the concerns.
I think the best approach is to limit the hints to those opted into (or, in case of a \
third-party frame, delegated). That or remove the script API entirely. The \
origin-based delegation model that works well at the HTTP level is not well aligned \
with the widespread practice of including third-party scripts in the top frame.
The spec does not eve allow denying the request entirely as written. A non-normative \
Note suggests that is allowed, but I can't find any step in the algorithm that would \
ever reject the promise.
>
> (perhaps even expanding beyond what is currently possible with the UA string).
>
> Can you expand on that last point?
I mean that the client hints might include info that is not in the UA sting (possibly \
not at all, or possibly frozen in UA string but could be unfrozen in the client \
hints).
>
>
> Regards,
> Maciej
>
>
> > On Oct 27, 2020, at 12:35 AM, Yoav Weiss <yoav@yoav.ws <mailto:yoav@yoav.ws>> \
> > wrote:
> > Yet-another ping! :)
> >
> > On Wed, Oct 7, 2020 at 8:23 AM Yoav Weiss <yoav@yoav.ws <mailto:yoav@yoav.ws>> \
> > wrote: Friendly ping! :)
> >
> > On Wed, Sep 30, 2020 at 9:29 AM Yoav Weiss <yoav@yoav.ws <mailto:yoav@yoav.ws>> \
> > wrote: Hi WebKit folks,
> >
> > Circling back on the previous discussion \
> > <https://lists.webkit.org/pipermail/webkit-dev/2020-May/031195.html> about \
> > User-Agent ClientHint. The feature was implemented in Chromium and is being \
> > rolled out in Chrome.
> > There were some concerns mentioned in the previous thread, that we believe were \
> > since addressed. Would the feature be something that WebKit would consider \
> > shipping?
> > Cheers :)
> > Yoav
> > _______________________________________________
> > webkit-dev mailing list
> > webkit-dev@lists.webkit.org <mailto:webkit-dev@lists.webkit.org>
> > https://lists.webkit.org/mailman/listinfo/webkit-dev \
> > <https://lists.webkit.org/mailman/listinfo/webkit-dev>
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html; \
charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote \
type="cite" class=""><div class="">On Nov 2, 2020, at 8:56 AM, Yoav Weiss <<a \
href="mailto:yoav@yoav.ws" class="">yoav@yoav.ws</a>> wrote:</div><br \
class="Apple-interchange-newline"><div class=""><meta charset="UTF-8" class=""><div \
dir="ltr" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""><div dir="ltr" class=""><div class="">Thanks for re-reviewing, Maciej!<br \
class=""></div><div class=""><br class=""></div><div class="">Adding Mike Taylor, \
who's likely to take a closer look at this.</div></div><br class=""><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Nov 2, 2020 at 2:17 AM \
Maciej Stachowiak <<a href="mailto:mjs@apple.com" class="">mjs@apple.com</a>> \
wrote:<br class=""></div><blockquote class="gmail_quote" style="margin: 0px 0px 0px \
0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, \
204, 204); padding-left: 1ex;"><div style="overflow-wrap: break-word;" class=""><div \
class=""><br class=""></div>I just did a fresh review of that spec and explainer. \
Thanks for addressing many of the previous issues. This addresses many of the \
potential objections.<div class=""><br class=""></div><div class="">Here's the new \
issues I filed:<br class=""><div class=""><br class=""></div><div class=""><a \
rel="nofollow" href="https://github.com/WICG/ua-client-hints/issues/141" \
target="_blank" style="box-sizing: border-box; color: rgb(3, 102, 214); \
text-decoration: none; font-family: -apple-system, BlinkMacSystemFont, "Segoe \
UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI \
Emoji"; font-size: 14px;" \
class="">https://github.com/WICG/ua-client-hints/issues/141</a><br style="box-sizing: \
border-box; color: rgb(36, 41, 46); font-family: -apple-system, BlinkMacSystemFont, \
"Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", \
"Segoe UI Emoji"; font-size: 14px;" class=""><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/142" target="_blank" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: none; \
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, \
Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;" class="">https://github.com/WICG/ua-client-hints/issues/142</a><br \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: -apple-system, \
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple \
Color Emoji", "Segoe UI Emoji"; font-size: 14px;" class=""><a \
rel="nofollow" href="https://github.com/WICG/ua-client-hints/issues/143" \
target="_blank" style="box-sizing: border-box; color: rgb(3, 102, 214); \
text-decoration: none; font-family: -apple-system, BlinkMacSystemFont, "Segoe \
UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI \
Emoji"; font-size: 14px;" \
class="">https://github.com/WICG/ua-client-hints/issues/143</a><br style="box-sizing: \
border-box; color: rgb(36, 41, 46); font-family: -apple-system, BlinkMacSystemFont, \
"Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", \
"Segoe UI Emoji"; font-size: 14px;" class=""><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/144" target="_blank" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: none; \
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, \
Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;" class="">https://github.com/WICG/ua-client-hints/issues/144</a><br \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: -apple-system, \
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple \
Color Emoji", "Segoe UI Emoji"; font-size: 14px;" class=""><a \
rel="nofollow" href="https://github.com/WICG/ua-client-hints/issues/145" \
target="_blank" style="box-sizing: border-box; color: rgb(3, 102, 214); \
text-decoration: none; font-family: -apple-system, BlinkMacSystemFont, "Segoe \
UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI \
Emoji"; font-size: 14px;" \
class="">https://github.com/WICG/ua-client-hints/issues/145</a><br style="box-sizing: \
border-box; color: rgb(36, 41, 46); font-family: -apple-system, BlinkMacSystemFont, \
"Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", \
"Segoe UI Emoji"; font-size: 14px;" class=""><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/146" target="_blank" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: none; \
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, \
Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;" class="">https://github.com/WICG/ua-client-hints/issues/146</a><br \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: -apple-system, \
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple \
Color Emoji", "Segoe UI Emoji"; font-size: 14px;" class=""><a \
rel="nofollow" href="https://github.com/WICG/ua-client-hints/issues/147" \
target="_blank" style="box-sizing: border-box; color: rgb(3, 102, 214); \
text-decoration: none; font-family: -apple-system, BlinkMacSystemFont, "Segoe \
UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI \
Emoji"; font-size: 14px;" \
class="">https://github.com/WICG/ua-client-hints/issues/147</a><br style="box-sizing: \
border-box; color: rgb(36, 41, 46); font-family: -apple-system, BlinkMacSystemFont, \
"Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", \
"Segoe UI Emoji"; font-size: 14px;" class=""><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/148" target="_blank" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: none; \
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, \
Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;" class="">https://github.com/WICG/ua-client-hints/issues/148</a><br \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: -apple-system, \
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple \
Color Emoji", "Segoe UI Emoji"; font-size: 14px;" class=""><a \
rel="nofollow" href="https://github.com/WICG/ua-client-hints/issues/149" \
target="_blank" style="box-sizing: border-box; color: rgb(3, 102, 214); \
text-decoration: none; font-family: -apple-system, BlinkMacSystemFont, "Segoe \
UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI \
Emoji"; font-size: 14px;" \
class="">https://github.com/WICG/ua-client-hints/issues/149</a><br style="box-sizing: \
border-box; color: rgb(36, 41, 46); font-family: -apple-system, BlinkMacSystemFont, \
"Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", \
"Segoe UI Emoji"; font-size: 14px;" class=""><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/150" target="_blank" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: none; \
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, \
Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;" class="">https://github.com/WICG/ua-client-hints/issues/150</a><br \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: -apple-system, \
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple \
Color Emoji", "Segoe UI Emoji"; font-size: 14px;" class=""><a \
rel="nofollow" href="https://github.com/WICG/ua-client-hints/issues/151" \
target="_blank" style="box-sizing: border-box; color: rgb(3, 102, 214); \
text-decoration: none; font-family: -apple-system, BlinkMacSystemFont, "Segoe \
UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI \
Emoji"; font-size: 14px;" \
class="">https://github.com/WICG/ua-client-hints/issues/151</a><br class=""><div \
class=""><br class=""></div></div></div></div></blockquote><div class=""><br \
class=""></div><div class="">Thanks for filing those! We'll take a look and respond \
shortly.</div><div class=""> </div><blockquote class="gmail_quote" \
style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; \
border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div style="overflow-wrap: \
break-word;" class=""><div class=""><div class=""><div class=""><div class="">Most of \
these are minor/editorial, but I think 151 is potentially a deal-breaker. I may be \
misreading the spec, but as written getHighEntropyValues seems to give access to \
all of the high entropy client hints to third-party scripts in the first party \
context, and scripts running in third-party iframes, regardless of which ones the \
site has opted into via the relevant HTTP header.<span \
class="Apple-converted-space"> </span></div></div></div></div></div></blockquote><div \
class=""><br class=""></div><div class="">That's indeed the case, as we didn't \
consider the Client Hints opt-in to be something that impacts the availability of the \
JS API. (as it doesn't do that for other \
hints)</div></div></div></div></blockquote><div><br class=""></div><div>We're \
currently deeply skeptical of implementing any of the other client hints due to their \
expansion of fingerprinting surface, so I don't feel particularly compelled by that \
precedent. That said, it's likely the other client hints have this same problem, \
where they expose fingerprinting surface way more widely than they may be intending \
to.</div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""><div class="gmail_quote"><div class=""></div><blockquote class="gmail_quote" \
style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; \
border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div style="overflow-wrap: \
break-word;" class=""><div class=""><div class=""><div class=""><div class="">That \
would be a huge problem, as it would grant a lot of active fingerprinting surface \
unnecessarily<span class="Apple-converted-space"> </span></div></div></div></div></div></blockquote><div \
class=""><br class=""></div><div class="">We did<span \
class="Apple-converted-space"> </span><a \
href="https://github.com/WICG/ua-client-hints/issues/37#issuecomment-576730548" \
class="">discuss</a> adding a Feature Policy (now Permission Policy) to that \
effect. Would that help with your \
concerns?</div></div></div></div></blockquote><div><br class=""></div><div>My \
understanding is that feature policy applies at the frame level, and therefore could \
not be used to control what happens when a third-party script in a first party \
context calls the API. Even for third-party iframes, it seems like Feature Policy \
could only default-deny this JS API entirely, and would not be able to filter the \
results down to the set delegated via HTTP headers (or otherwise). Maybe you intend a \
feature policy per individual high entropy hint, but first of all that seems like \
overkill, and second, the spec is clearly not written to support such \
filtering.</div><div><br class=""></div><div>So no, it would not address the \
concerns.</div><div><br class=""></div><div>I think the best approach is to limit the \
hints to those opted into (or, in case of a third-party frame, delegated). That or \
remove the script API entirely. The origin-based delegation model that works well at \
the HTTP level is not well aligned with the widespread practice of including \
third-party scripts in the top frame.</div><div><br class=""></div><div>The spec does \
not eve allow denying the request entirely as written. A non-normative Note suggests \
that is allowed, but I can't find any step in the algorithm that would ever reject \
the promise.</div><div><br class=""></div><blockquote type="cite" class=""><div \
class=""><div dir="ltr" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; \
font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none;" class=""><div class="gmail_quote"><div \
class=""> </div><blockquote class="gmail_quote" style="margin: 0px 0px 0px \
0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, \
204, 204); padding-left: 1ex;"><div style="overflow-wrap: break-word;" class=""><div \
class=""><div class=""><div class=""><div class="">(perhaps even expanding beyond \
what is currently possible with the UA \
string).</div></div></div></div></div></blockquote><div class=""><br \
class=""></div><div class="">Can you expand on that last \
point?</div></div></div></div></blockquote><div><br class=""></div><div>I mean that \
the client hints might include info that is not in the UA sting (possibly not at all, \
or possibly frozen in UA string but could be unfrozen in the client hints).</div><br \
class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" \
class=""><div class="gmail_quote"><div class=""> </div><blockquote \
class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; \
border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: \
1ex;"><div style="overflow-wrap: break-word;" class=""><div class=""><div \
class=""><div class=""><div class=""><br class=""></div><div \
class="">Regards,</div><div class="">Maciej</div><div class=""><br \
class=""></div><div class=""><br class=""><blockquote type="cite" class=""><div \
class="">On Oct 27, 2020, at 12:35 AM, Yoav Weiss <<a href="mailto:yoav@yoav.ws" \
target="_blank" class="">yoav@yoav.ws</a>> wrote:</div><br class=""><div \
class=""><div dir="ltr" class="">Yet-another ping! :)</div><br class=""><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Oct 7, 2020 at 8:23 AM \
Yoav Weiss <<a href="mailto:yoav@yoav.ws" target="_blank" \
class="">yoav@yoav.ws</a>> wrote:<br class=""></div><blockquote \
class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; \
border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: \
1ex;"><div dir="ltr" class="">Friendly ping! :)</div><br class=""><div \
_______________________________________________
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic