Mozilla takes issue with proposed replacement, which the Firefox-maker says could still be used for fingerprinting
Earlier this week, Google announced that it plans to phase out the user-agent string in Chrome that gives websites details about the browsers that are accessing them.
Mozilla has offered tentative support for its rival’s decision to scrap the aging feature, although the Firefox-maker said it would not be endorsing the proposed replacement, which it says could still potentially be used for fingerprinting.
The user-agent string is a short piece of text that’s sent by a user’s web browser when making HTTP requests. It includes the name of the browser, rendering system, operating system, and information on the device being used.
User-agent strings have been in use for decades, allowing websites to fine-tune their content for different setups.
However, Google says it’s now causing problems. In a post on the Chromium forum this week, Google engineer Yoav Weiss said the data being shared by the user-agent-string has privacy implications.
“On top of those privacy issues, user-agent sniffing is an abundant source of compatibility issues, in particular for minority browsers, resulting in browsers lying about themselves (generally or to specific sites), and sites (including Google properties) being broken in some browsers for no good reason,” he adds.
In one example, the Vivaldi browser has recently started presenting itself as Chrome, in order to avoid bugs.
Now, says Google, it plans to freeze the standard, and stop updating Chrome with new strings. Instead, it plans to roll out a new feature called User-Agent Client Hints (UACH), developed as part of its Privacy Sandbox project.
This provides the required information only when the server requests it, over a secure connection. As a result, any fingerprinting based on it will be deemed to be active fingerprinting, meaning it can be audited and acted upon by the browser.
Fingerprinting in this instance refers to the sometimes illicit gathering of device data in order to track users.
The rollout of UACH will also mean that servers won’t be given more data than they want or need, and is more ergonomic, making compatibility issues less likely, Google said.
Google plans to carry out the deprecation gradually over the coming months, depending on how amenable each element is to freezing.
“Different parts of the UA string have different compatibility implications. Some parts of it, such as the browser version and the OS version, can be frozen without any backwards compatibility implications. Values that worked in the past will continue to work in the future,” says Weiss.
“Other parts, such as the model (for mobile devices) and the OS platform, can have implications on sites that tailor their UI to the underlying OS or that target a very specific model in their layout. Such sites will need to migrate to use UACH.”
The move’s been generally welcomed, although it’s not likely to be emulated across the board.
“Mozilla supports this change. However, Mozilla does not support the mechanisms Chrome is proposing to replace the user-agent header,” a Mozilla spokesperson tells The Daily Swig.
“Client Hints can be used for fingerprinting based on HTTP requests, and this makes it harder to determine how sites use this information.”
There’s a detailed timeline for the changes here.
YOU MIGHT ALSO LIKE First externally discovered flaws in Microsoft Edge (Chromium) uncovered