Freeze the User Agent string

We want to freeze (but not remove) the User Agent string in HTTP requests as well as in navigator.userAgent

The User-Agent string is an abundant source of passive fingerprinting information about our users. It contains many details about the user’s browser and device as well as incorrect information (Mozilla/5.0, anyone?) that were or are needed for compatibility purposes, as servers grew reliant on bad User Agent sniffing. On top of those privacy issues, User-Agent sniffing is an abundant source of compatibility issues, in particular to minority browsers, resulting in browsers lying about themselves, and sites (including Google properties) being broken in some browsers for no good reason. The User Agent Client Hints feature provides an alternative source for the information the User Agent string provides (both in its request header form as well as its JS API one). Its main advantages are: It provides the required information only when the server requests it, making any fingerprinting that relies on it be active fingerprinting, which can be detected and acted-upon by the browser. It provides the information in small increments, so servers are less likely to touch many fingerprinting bits in order to figure out one detail about the browser. (e.g. brand and major version) And finally, since it provides the information in small increments, it requires less parsing, so it is less likely that servers will get it wrong and cause compatibility issues.

Status in Chromium

Blink


In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Owners

Last updated on 2020-01-14