Client hints or client lies?
-
For decades, the User Agent header has been a major arena for truths, lies and other dastardly deeds. Now there’s an effort to replace the User Agent with “Client Hints”. How will that go?
Click here to see the full blog post
Developer and Security Expert at Vivaldi.
-
Hi,
Thx for the explanation.Is there any Official WWW site to report this behavior as a user?
"You cannot know the meaning of your life until you are connected to the power that created you" · Shri Mataji Nirmala Devi
-
Thanks for the write-up. Informative and infuriating. I predicted as much would happen when user hints were first announced. Outside of very specific instances, like the partners you mention, websites do not need user agents, hints, or indeed any information about the device or browser people are using.
-
interesting blog post
-
It is macOS not MacOS (name changed was a while ago, and for many MacOS like that looks like MacOS 9 and lower).
What every happened to doing feature detection?
I remember Hallvord from MyOpera days talking about this (back in 2009) https://dev.opera.com/blog/opera-s-site-patching/ , and knowing that Apple has site-specific hacks for Safari even in Safari 16.x. I even remember testing the browser.js file for gmail sending broken code to Opera years ago.
Why Open the Web?
Despite the connecting purpose of the Web, it is not entirely open to all of its users.
When used correctly, HTML documents can be displayed across platforms and devices.
However, many devices are excluded access to Web content. -
@Zalex108 The main Client Hints pages are linked in the article at the beginning of the Client Hints section.
Developer and Security Expert at Vivaldi.
-
@Chas4 I guess the stats collectors didn't want to loose their
jobdata -
@yngve said in Client hints or client lies?:
@Zalex108 The main Client Hints pages are linked in the article at the beginning of the Client Hints section.
I mean some kind of Official Organisation which cares about to keep the respectful behavior within the WWW, even warn / admonish companies which does and repeat the block specific UA behaviour.
"You cannot know the meaning of your life until you are connected to the power that created you" · Shri Mataji Nirmala Devi
-
@Zalex108 Unfortunately, there are no Standards Enforcement Agencies for the WWW, .... except its users. They can complain loudly, if necessary, to the site owners, or the world at large about issues.
Working groups like the ones working at Client Hints can define the rules, but they can't enforce them.
It is conceivable that some national (or in some cases international, like the EU) government entities or courts can be convinced to take action in certain narrow fields (depending on local law), for example if a site blocks tools used by disabled people (in the US that might be governed by the ADA law).
Generally, though, users are mostly on their own, and have to contact the web sites to report issues, and to report issues to the browser vendor. OTOH, the only actions browser vendors can take is either fix actual, real bugs, or lie to the site, depending on what the issue is, and in some cases take the issue to the relevant Standards Organization Working Groups.
At present, regarding Client Hints, we are waiting for the other shoe to drop (if it drops).
Developer and Security Expert at Vivaldi.
-
Great and informative article on something I really loathe...
Client hints are a terrible "innovation" that only results in over-complicating web standards, they are open to abuse (as this article clearly shows) and fingerprinting, as well as making it easier for stupid web developers to enforce rules on what browsers are "compatible" and so "allowed" to load their site.
Users get confusing "Update your browser to use this site" warnings and are sometimes outright blocked from using sites. As if it's the site's responsibility to make sure users have updated browsers. It's basically an excuse for web dev laziness - if they force users to always run the latest version, they can skip on following standards to make their site work in any browser apart from the big ones they test with - perfect for Google and Microsoft to increase their market share.
Not surprisingly, invented and brute forced through as a "standard" by Google by simply making all Chromium-based browsers send the hints by default, in effect making sites adapt and abuse them quickly.
Authors of Client Hints (surprise surprise):
I. Grigorik - Google
Y. Weiss - Google
https://datatracker.ietf.org/doc/html/rfc8942And also no surprise that the chairs of this "WICG" group consists of basically Google and Microsoft:
https://wicg.github.io/admin/charter.html#chairsJust the fact that the "GREASE" process even exists to "force" sites to code working parsers - which we all know web devs will inevitably mess up - proves it's a broken spec.
It's still an Experimental RFC, but still widely used to enforce browser "compatibility" and breaking browsers along the way. Firefox does not (yet?) send client hints. Maybe it's time for other browsers to stop sending them too?
@yngve What would happen if Vivaldi and others just outright stopped sending them? Would sites stop working? Would we encounter Cloudflare and other security "bot checks" every time we attempt to load such sites because we don't send the expected client hints?
🎻Volunteer helper · Forum moderator · Sopranos tester 🛠️Troubleshooting 🐛Report a bug 📜Markdown help
🦆"With a rubber duck, one's never alone" -Douglas Adams🦆 -
@Pathduck I have no idea what would happen in such a case.
I'll note, though, that as mentioned, the site that blocked non-Chrome/Edge branded browsers, used a different method to detect Firefox (because it does not send Hints at this time). However, it would be very simple for such a site to check if the browser connecting is a Chromium-based browser, but not sending Hints, and proceed to block it.
One could, conceivably, identify as Firefox instead, but that would likely run into trouble with sites that use such detection to decide feature support, e.g. in JS, which would cause curious bugs to appear due to implementation differences.
I guess it is a case of damned if you do, damned if you don't.
Frankly, the only viable option I see, unless you are a dominant player in an important market (for which a block can cause massive economic disadvantages for the website) , is to lie to the websites.
That is not how it is/was supposed to work, but it is the world we currently have.
-
@yngve said in Client hints or client lies?:
I have no idea what would happen in such a case.
Well, I have made the following headers stop being sent using Mod-Header, we'll see what breaks first
sec-ch-ua sec-ch-ua-mobile sec-ch-ua-platform sec-ch-ua-arch sec-ch-ua-bitness sec-ch-ua-full-version-list sec-ch-ua-model sec-ch-ua-platform-version sec-ch-ua-wow64That is not how it is/was supposed to work, but it is the world we currently have.
Unfortunately, yes...
What was that about a shoe supposed to drop by the way?
🎻Volunteer helper · Forum moderator · Sopranos tester 🛠️Troubleshooting 🐛Report a bug 📜Markdown help
🦆"With a rubber duck, one's never alone" -Douglas Adams🦆 -
@Pathduck said in Client hints or client lies?:
What was that about a shoe supposed to drop by the way?
The question of how many important sites will be blocking browsers with the wrong branding.
I hope that particular shoe won't drop, but that site I mentioned does not inspire confidence. There has been a couple of reports that initially sounded like they were due to such blocking, but turned out to be something entirely different, including bugs in Vivaldi.
So far we have only run into the two sites with significantly different Client Hints problems mentioned in my article. One was easy to work around, the other require a significant policy change that we are not currently willing to make. That might change if we start encountering this kind of problems with numerous important sites that refuse to fix their systems.
-
@yngve I'd just call 'em client sheets ^^
-
@yngve said in Client hints or client lies?:
Unfortunately, there are no Standards Enforcement Agencies for the WWW, .... except its users. They can complain loudly, if necessary, to the site owners, or the world at large about issues.
What about the W3C?
-
@edwardp W3C and similar organizations and works groups create standards specifications, they do not (and cannot) enforce them. They can't tell a site "fix this, or we will fine you or block you from the net".
Web sites developers can design their web sites any way they wish. The only limit on their "creativity" is what shenanigans clients will let them get away with (either by accident or by policy). In the case of Client Hints, the problem is that there is no automatic way for a client to determine that it is being blocked, so it can't prevent such shenanigans, except by generally sending false information that tricks the site (and all other sites).
-
Another way to view the W3C&Co's authority (or lack of it) is to compare it to how nations are governed.
In a nation the Parliament pass laws, and the executive branch implements them, and the courts rule on how they are implemented. The Parliament can investigate the other parts or the national system, and pass new laws based on their findings.
For the WWW, we have the standards organizations as the parliament defining standards. They can also decide to investigate how the current specifications work, and if necessary update them or define new specification to handle the issues that were identified.
The "problem" is that this area of the internet does not have an executive or a court system (and it is probably not practical to have them, either), so users and implementers are left on their own trying to create a working real world system; some aspects may be handled by local "real world" governments and their courts, though. (Other parts of the internet, though, especially some of the lower level areas do have systems that are more like an executive and a court system, which can enforce standards and decisions, but those will usually be governed by contracts and in some cases national or international laws and treaties).
-
@Pathduck said in Client hints or client lies?:
Client hints are a terrible "innovation" that only results in over-complicating web standards, they are open to abuse (as this article clearly shows) and fingerprinting, as well as making it easier for stupid web developers to enforce rules on what browsers are "compatible" and so "allowed" to load their site.
If content providers want the largest number of individuals to be able to view their content, they should write their web pages so that the largest number of individuals will be able to view their content, rather than blocking this or that web browser.
Is it that difficult to do? Is it asking for too much?
-
@edwardp the idea behind client identification (apart from nefarious user fingerprinting) is to support a certain feature for different clients.
No JavaScript or modern video/image content would be accessible by the largest number of individuals.
And every single one of them will complain about the 80s look and features on that site.From the top of my head, there are 3 groups hindering sites from assuming a sane minimal browser feature set:
- corporations with stupid security guidelines (IE 11)
- unteachable private citizens ("I will not move away from Windows XP/7 and insist on continuing to use an outdated browser")
- Google/Apple pushing their own stuff in favor of clearly better standards.
-
@becm said in Client hints or client lies?:
the idea behind client identification (apart from nefarious user fingerprinting) is to support a certain feature for different clients.
Browser sniffing shouldn't be allowed at all, but unfortunately, that's not something we have any control over.
However...If a web site will not deliver content simply because of my choice of browser, that site receives no more traffic from me.
Vivaldi on Linux:
openSUSE Tumbleweed and Slowroll (Xfce 4.20)
Fedora 42 and Rawhide (Xfce 4.20)Android (10)
Vivaldi user since 2016. Thank you to all Vivaldi users.
