[prev in list] [next in list] [prev in thread] [next in thread]
List: webkit-dev
Subject: Re: [webkit-dev] User Agent Client Hints
From: Alex Christensen <achristensen () apple ! com>
Date: 2020-11-03 19:03:23
Message-ID: DE1E607E-82CD-41F9-B16C-4740088C183F () apple ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
If I understand this correctly, the state of having received an Accept-CH header \
field in a response to a previous request is used to determine whether these new \
Sec-CH-* header fields will be sent. Not only does this add a new place to store \
bits on the client (as acknowledged by \
https://wicg.github.io/client-hints-infrastructure/#accept-ch-cache-definition \
<https://wicg.github.io/client-hints-infrastructure/#accept-ch-cache-definition> ) \
but it also seems to not provide a method for a server to receive client hint header \
fields on the first request from a client. Would both of these concerns be resolved \
if we used something like ALPN instead of needing to store state on the client? Am I \
understanding the Client Hints Infrastructure correctly?
> On Nov 2, 2020, at 3:32 PM, Maciej Stachowiak <mjs@apple.com> wrote:
>
>
>
> > On Nov 2, 2020, at 8:56 AM, Yoav Weiss <yoav@yoav.ws <mailto:yoav@yoav.ws>> \
> > wrote:
> > Thanks for re-reviewing, Maciej!
> >
> > Adding Mike Taylor, who's likely to take a closer look at this.
> >
> > On Mon, Nov 2, 2020 at 2:17 AM Maciej Stachowiak <mjs@apple.com \
> > <mailto:mjs@apple.com>> wrote:
> > I just did a fresh review of that spec and explainer. Thanks for addressing many \
> > of the previous issues. This addresses many of the potential objections.
> > Here's the new issues I filed:
> >
> > https://github.com/WICG/ua-client-hints/issues/141 \
> > <https://github.com/WICG/ua-client-hints/issues/141> \
> > https://github.com/WICG/ua-client-hints/issues/142 \
> > <https://github.com/WICG/ua-client-hints/issues/142> \
> > https://github.com/WICG/ua-client-hints/issues/143 \
> > <https://github.com/WICG/ua-client-hints/issues/143> \
> > https://github.com/WICG/ua-client-hints/issues/144 \
> > <https://github.com/WICG/ua-client-hints/issues/144> \
> > https://github.com/WICG/ua-client-hints/issues/145 \
> > <https://github.com/WICG/ua-client-hints/issues/145> \
> > https://github.com/WICG/ua-client-hints/issues/146 \
> > <https://github.com/WICG/ua-client-hints/issues/146> \
> > https://github.com/WICG/ua-client-hints/issues/147 \
> > <https://github.com/WICG/ua-client-hints/issues/147> \
> > https://github.com/WICG/ua-client-hints/issues/148 \
> > <https://github.com/WICG/ua-client-hints/issues/148> \
> > https://github.com/WICG/ua-client-hints/issues/149 \
> > <https://github.com/WICG/ua-client-hints/issues/149> \
> > https://github.com/WICG/ua-client-hints/issues/150 \
> > <https://github.com/WICG/ua-client-hints/issues/150> \
> > https://github.com/WICG/ua-client-hints/issues/151 \
> > <https://github.com/WICG/ua-client-hints/issues/151>
> >
> > Thanks for filing those! We'll take a look and respond shortly.
> >
> > Most of these are minor/editorial, but I think 151 is potentially a deal-breaker. \
> > I may be misreading the spec, but as written getHighEntropyValues seems to give \
> > access to all of the high entropy client hints to third-party scripts in the \
> > first party context, and scripts running in third-party iframes, regardless of \
> > which ones the site has opted into via the relevant HTTP header.
> > That's indeed the case, as we didn't consider the Client Hints opt-in to be \
> > something that impacts the availability of the JS API. (as it doesn't do that for \
> > other hints)
>
> We're currently deeply skeptical of implementing any of the other client hints due \
> to their expansion of fingerprinting surface, so I don't feel particularly \
> compelled by that precedent. That said, it's likely the other client hints have \
> this same problem, where they expose fingerprinting surface way more widely than \
> they may be intending to.
> > That would be a huge problem, as it would grant a lot of active fingerprinting \
> > surface unnecessarily
> > We did discuss <https://github.com/WICG/ua-client-hints/issues/37#issuecomment-576730548> \
> > adding a Feature Policy (now Permission Policy) to that effect. Would that help \
> > with your concerns?
>
> My understanding is that feature policy applies at the frame level, and therefore \
> could not be used to control what happens when a third-party script in a first \
> party context calls the API. Even for third-party iframes, it seems like Feature \
> Policy could only default-deny this JS API entirely, and would not be able to \
> filter the results down to the set delegated via HTTP headers (or otherwise). Maybe \
> you intend a feature policy per individual high entropy hint, but first of all that \
> seems like overkill, and second, the spec is clearly not written to support such \
> filtering.
> So no, it would not address the concerns.
>
> I think the best approach is to limit the hints to those opted into (or, in case of \
> a third-party frame, delegated). That or remove the script API entirely. The \
> origin-based delegation model that works well at the HTTP level is not well aligned \
> with the widespread practice of including third-party scripts in the top frame.
> The spec does not eve allow denying the request entirely as written. A \
> non-normative Note suggests that is allowed, but I can't find any step in the \
> algorithm that would ever reject the promise.
> >
> > (perhaps even expanding beyond what is currently possible with the UA string).
> >
> > Can you expand on that last point?
>
> I mean that the client hints might include info that is not in the UA sting \
> (possibly not at all, or possibly frozen in UA string but could be unfrozen in the \
> client hints).
> >
> >
> > Regards,
> > Maciej
> >
> >
> > > On Oct 27, 2020, at 12:35 AM, Yoav Weiss <yoav@yoav.ws <mailto:yoav@yoav.ws>> \
> > > wrote:
> > > Yet-another ping! :)
> > >
> > > On Wed, Oct 7, 2020 at 8:23 AM Yoav Weiss <yoav@yoav.ws <mailto:yoav@yoav.ws>> \
> > > wrote: Friendly ping! :)
> > >
> > > On Wed, Sep 30, 2020 at 9:29 AM Yoav Weiss <yoav@yoav.ws <mailto:yoav@yoav.ws>> \
> > > wrote: Hi WebKit folks,
> > >
> > > Circling back on the previous discussion \
> > > <https://lists.webkit.org/pipermail/webkit-dev/2020-May/031195.html> about \
> > > User-Agent ClientHint. The feature was implemented in Chromium and is being \
> > > rolled out in Chrome.
> > > There were some concerns mentioned in the previous thread, that we believe were \
> > > since addressed. Would the feature be something that WebKit would consider \
> > > shipping?
> > > Cheers :)
> > > Yoav
> > > _______________________________________________
> > > webkit-dev mailing list
> > > webkit-dev@lists.webkit.org <mailto:webkit-dev@lists.webkit.org>
> > > https://lists.webkit.org/mailman/listinfo/webkit-dev \
> > > <https://lists.webkit.org/mailman/listinfo/webkit-dev>
> _______________________________________________
> webkit-dev mailing list
> webkit-dev@lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-dev
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html; \
charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
line-break: after-white-space;" class="">If I understand this correctly, the state of \
having received an Accept-CH header field in a response to a previous request is used \
to determine whether these new Sec-CH-* header fields will be sent. Not only \
does this add a new place to store bits on the client (as acknowledged by <a \
href="https://wicg.github.io/client-hints-infrastructure/#accept-ch-cache-definition" \
class="">https://wicg.github.io/client-hints-infrastructure/#accept-ch-cache-definition</a> ) \
but it also seems to not provide a method for a server to receive client hint header \
fields on the first request from a client. Would both of these concerns be \
resolved if we used something like ALPN instead of needing to store state on the \
client? Am I understanding the Client Hints Infrastructure correctly?<br \
class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Nov 2, \
2020, at 3:32 PM, Maciej Stachowiak <<a href="mailto:mjs@apple.com" \
class="">mjs@apple.com</a>> wrote:</div><br class="Apple-interchange-newline"><div \
class=""><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: \
12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none;" class=""><br class="Apple-interchange-newline"><br \
class=""><blockquote type="cite" class=""><div class="">On Nov 2, 2020, at 8:56 AM, \
Yoav Weiss <<a href="mailto:yoav@yoav.ws" class="">yoav@yoav.ws</a>> \
wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" \
class="" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: \
none;"><div dir="ltr" class=""><div class="">Thanks for re-reviewing, Maciej!<br \
class=""></div><div class=""><br class=""></div><div class="">Adding Mike Taylor, \
who's likely to take a closer look at this.</div></div><br class=""><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Nov 2, 2020 at 2:17 AM \
Maciej Stachowiak <<a href="mailto:mjs@apple.com" class="">mjs@apple.com</a>> \
wrote:<br class=""></div><blockquote class="gmail_quote" style="margin: 0px 0px 0px \
0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, \
204, 204); padding-left: 1ex;"><div class="" style="overflow-wrap: break-word;"><div \
class=""><br class=""></div>I just did a fresh review of that spec and explainer. \
Thanks for addressing many of the previous issues. This addresses many of the \
potential objections.<div class=""><br class=""></div><div class="">Here's the new \
issues I filed:<br class=""><div class=""><br class=""></div><div class=""><a \
rel="nofollow" href="https://github.com/WICG/ua-client-hints/issues/141" \
target="_blank" class="" style="box-sizing: border-box; color: rgb(3, 102, 214); \
text-decoration: none; font-family: -apple-system, BlinkMacSystemFont, "Segoe \
UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI \
Emoji"; font-size: \
14px;">https://github.com/WICG/ua-client-hints/issues/141</a><br class="" \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: -apple-system, \
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple \
Color Emoji", "Segoe UI Emoji"; font-size: 14px;"><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/142" target="_blank" class="" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: none; \
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, \
Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;">https://github.com/WICG/ua-client-hints/issues/142</a><br class="" \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: -apple-system, \
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple \
Color Emoji", "Segoe UI Emoji"; font-size: 14px;"><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/143" target="_blank" class="" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: none; \
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, \
Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;">https://github.com/WICG/ua-client-hints/issues/143</a><br class="" \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: -apple-system, \
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple \
Color Emoji", "Segoe UI Emoji"; font-size: 14px;"><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/144" target="_blank" class="" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: none; \
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, \
Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;">https://github.com/WICG/ua-client-hints/issues/144</a><br class="" \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: -apple-system, \
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple \
Color Emoji", "Segoe UI Emoji"; font-size: 14px;"><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/145" target="_blank" class="" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: none; \
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, \
Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;">https://github.com/WICG/ua-client-hints/issues/145</a><br class="" \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: -apple-system, \
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple \
Color Emoji", "Segoe UI Emoji"; font-size: 14px;"><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/146" target="_blank" class="" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: none; \
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, \
Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;">https://github.com/WICG/ua-client-hints/issues/146</a><br class="" \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: -apple-system, \
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple \
Color Emoji", "Segoe UI Emoji"; font-size: 14px;"><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/147" target="_blank" class="" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: none; \
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, \
Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;">https://github.com/WICG/ua-client-hints/issues/147</a><br class="" \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: -apple-system, \
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple \
Color Emoji", "Segoe UI Emoji"; font-size: 14px;"><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/148" target="_blank" class="" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: none; \
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, \
Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;">https://github.com/WICG/ua-client-hints/issues/148</a><br class="" \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: -apple-system, \
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple \
Color Emoji", "Segoe UI Emoji"; font-size: 14px;"><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/149" target="_blank" class="" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: none; \
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, \
Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;">https://github.com/WICG/ua-client-hints/issues/149</a><br class="" \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: -apple-system, \
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple \
Color Emoji", "Segoe UI Emoji"; font-size: 14px;"><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/150" target="_blank" class="" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: none; \
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, \
Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;">https://github.com/WICG/ua-client-hints/issues/150</a><br class="" \
style="box-sizing: border-box; color: rgb(36, 41, 46); font-family: -apple-system, \
BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple \
Color Emoji", "Segoe UI Emoji"; font-size: 14px;"><a rel="nofollow" \
href="https://github.com/WICG/ua-client-hints/issues/151" target="_blank" class="" \
style="box-sizing: border-box; color: rgb(3, 102, 214); text-decoration: none; \
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, \
Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; \
font-size: 14px;">https://github.com/WICG/ua-client-hints/issues/151</a><br \
class=""><div class=""><br class=""></div></div></div></div></blockquote><div \
class=""><br class=""></div><div class="">Thanks for filing those! We'll take a look \
and respond shortly.</div><div class=""> </div><blockquote class="gmail_quote" \
style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; \
border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div class="" \
style="overflow-wrap: break-word;"><div class=""><div class=""><div class=""><div \
class="">Most of these are minor/editorial, but I think 151 is potentially a \
deal-breaker. I may be misreading the spec, but as written \
getHighEntropyValues seems to give access to all of the high entropy client \
hints to third-party scripts in the first party context, and scripts running in \
third-party iframes, regardless of which ones the site has opted into via the \
relevant HTTP header.<span \
class="Apple-converted-space"> </span></div></div></div></div></div></blockquote><div \
class=""><br class=""></div><div class="">That's indeed the case, as we didn't \
consider the Client Hints opt-in to be something that impacts the availability of the \
JS API. (as it doesn't do that for other \
hints)</div></div></div></div></blockquote><div class=""><br class=""></div><div \
class="">We're currently deeply skeptical of implementing any of the other client \
hints due to their expansion of fingerprinting surface, so I don't feel particularly \
compelled by that precedent. That said, it's likely the other client hints have this \
same problem, where they expose fingerprinting surface way more widely than they may \
be intending to.</div><br class=""><blockquote type="cite" class=""><div \
class=""><div dir="ltr" class="" style="caret-color: rgb(0, 0, 0); font-family: \
Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; \
font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; text-decoration: none;"><div class="gmail_quote"><div \
class=""></div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; \
border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, \
204); padding-left: 1ex;"><div class="" style="overflow-wrap: break-word;"><div \
class=""><div class=""><div class=""><div class="">That would be a huge problem, as \
it would grant a lot of active fingerprinting surface unnecessarily<span \
class="Apple-converted-space"> </span></div></div></div></div></div></blockquote><div \
class=""><br class=""></div><div class="">We did<span \
class="Apple-converted-space"> </span><a \
href="https://github.com/WICG/ua-client-hints/issues/37#issuecomment-576730548" \
class="">discuss</a> adding a Feature Policy (now Permission Policy) to that \
effect. Would that help with your concerns?</div></div></div></div></blockquote><div \
class=""><br class=""></div><div class="">My understanding is that feature policy \
applies at the frame level, and therefore could not be used to control what happens \
when a third-party script in a first party context calls the API. Even for \
third-party iframes, it seems like Feature Policy could only default-deny this JS API \
entirely, and would not be able to filter the results down to the set delegated via \
HTTP headers (or otherwise). Maybe you intend a feature policy per individual high \
entropy hint, but first of all that seems like overkill, and second, the spec is \
clearly not written to support such filtering.</div><div class=""><br \
class=""></div><div class="">So no, it would not address the concerns.</div><div \
class=""><br class=""></div><div class="">I think the best approach is to limit the \
hints to those opted into (or, in case of a third-party frame, delegated). That or \
remove the script API entirely. The origin-based delegation model that works well at \
the HTTP level is not well aligned with the widespread practice of including \
third-party scripts in the top frame.</div><div class=""><br class=""></div><div \
class="">The spec does not eve allow denying the request entirely as written. A \
non-normative Note suggests that is allowed, but I can't find any step in the \
algorithm that would ever reject the promise.</div><div class=""><br \
class=""></div><blockquote type="cite" class=""><div class=""><div dir="ltr" class="" \
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; \
font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: \
normal; text-align: start; text-indent: 0px; text-transform: none; white-space: \
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: \
none;"><div class="gmail_quote"><div class=""> </div><blockquote \
class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; \
border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: \
1ex;"><div class="" style="overflow-wrap: break-word;"><div class=""><div \
class=""><div class=""><div class="">(perhaps even expanding beyond what is currently \
possible with the UA string).</div></div></div></div></div></blockquote><div \
class=""><br class=""></div><div class="">Can you expand on that last \
point?</div></div></div></div></blockquote><div class=""><br class=""></div><div \
class="">I mean that the client hints might include info that is not in the UA sting \
(possibly not at all, or possibly frozen in UA string but could be unfrozen in the \
client hints).</div><br class=""><blockquote type="cite" class=""><div class=""><div \
dir="ltr" class="" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; \
font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; \
letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; \
white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; \
text-decoration: none;"><div class="gmail_quote"><div \
class=""> </div><blockquote class="gmail_quote" style="margin: 0px 0px 0px \
_______________________________________________
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic