Client hints or client lies?

waldo

Why do you not include anything in userAgent string to indicate Vivaldi? I see that Microsoft Edge includes Edg/... and Opera includes OPR/... at the end in addition to all those that you report in Vivaldi. This would help make Vivaldi be visible in statistics to show how many users you actually have. Once you include Chrome and Safari like you do, it will not hurt to add your own in addition?

Pathduck

@waldo Exactly for the same reasons discussed in the blog post... crap user agent detection scripts. Better to just completely give the exact same UA as Chrome.

This was done years ago, while the Client Hints debacle is newer...

https://vivaldi.com/blog/user-agent-changes/

DoctorG

@waldo Some web servers and websites have a bad attack detection or some filters to reject browsers they do not know and they think browsers like Vivaldi can not work. Bad Administrators from Hell.

That's why Vivaldi has to disguise in user-agent as Google Chrome.

waldo

@pathduck: Wow. I didn't know it was so bad that someone specifically targets and blocks Vivaldi. This is outragous!

Pathduck

@waldo There are many User-Agent change extensions out there. So if you want to experiment overriding the UA with a proper Vivaldi string, you can.

The most popular one is probably this one:
https://chrome.google.com/webstore/detail/user-agent-switcher-and-m/bhchdcejhohfmigjafbampogmaanbfkg
Problem is they can't seem to keep their UA strings up-to-date.

Personally I use ModHeader to test, I find it easier to change the UA:
https://chrome.google.com/webstore/detail/modheader-modify-http-hea/idgpnmonknjnojddfkpgkljpfnnfcklj

Try going to google.com with that UA

far4

@yngve
Can I ask the developers to completely disable the entire CH section for the android browser in order to improve privacy? For example, Bromite simply has no CH, which is great for the user. Here you can define your UA, and I'm fine with the shortest option "Mozilla/5.0 (Linux; android)". My webview Canary 116.0 has a great feature that completely disables CH, if custom UA is selected in the browser that runs the webview (eg. Privacy Browser). This looks awesome - two dozen empty Client Hints fields! Could you implement this in Vivaldi? And more: what prevents Vivaldi/android from allowing the user to define the UA strings themselves?

Pathduck

@far4 Yeah, Firefox (114 on desktop) doesn't even send any Sec-Ch-Ua headers so there's really no good reason to even send these useless headers.

Mozilla's position is still "Neutral":
https://mozilla.github.io/standards-positions/#ua-client-hints

I've used Modheader to set Vivaldi to not send these headers as well, and not seen any bad effects on the websites I visit for a long time.

Browsers should just throw this "standard" out, it's still defined as Experimental as far as the IETF goes:
https://datatracker.ietf.org/doc/html/rfc8942

Then the WICG group should be shown the door and told to stop creating useless over-complicated specs and having it forced on everyone else because Google and Chrome is more than happy to implement anything that gives them more data about users.

yngve

@far4 That would probably be more trouble than its worth, presently, since the functionality is hooked in a number of places in Chromium.

I have suggested to the Chromium team that the Sec-CH-UA header be removed, and suggested the same to the WG, since the abuse and the responses to it is now rendering that header worthless.

It might be better to ask the Chromium team to implement that.

Pathduck

@yngve Given that these are the same people who brought us wonders such as FLoC, Topics and First Party Sets. As well as proposing privacy-infringing and easily abused stuff like Idle Detection. So yeah, maybe not get our hopes up on that front...

It's interesting to see Mozilla's position on the WICG proposals are mostly all negative.