iPhone + Safari Mozilla/5.0 (iPhone; CPU iPhone OS 17_4_1 like Mac OS X) AppleWebKit/ 605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604. Windows + Chrome Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 macOS + Chrome Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Ref. https://www.useragents.me/ 2024-05-23 accessed 3
user agent allows for more appropriate content delivery. Smartphone PC HTTP Servers 1. Request 2. Response 1. Request 2. Response PC websites Mobile websites User Agent: xxx User Agent: yyy HTTP Servers 4
• Performance: Increase the length of HTTP response headers • Privacy: Identify users by User Agent (especially minor hardware/OS) Mozilla/5.0 (iPhone; CPU iPhone OS 17_4_1 like Mac OS X) AppleWebKit/ 605.1.15 (KHTML, like Gecko) Version/17.4.1 Mobile/15E148 Safari/604. 138 bytes Ref. https://www.w3counter.com/globalstats.php 2024-05-23 accessed 5
server’s use of request headers for proactive content negotiation • Bene fi ts: • Mitigate performance concerns by limiting HTTP request headers sent • Mitigate privacy concerns for tracking by requiring explicit opt-in and disclosure of required headers. • New HTTP response header “Accept-CH” • Currently in experimental status and NOT standards 6
(Step1) User agents choose Client Hints based on “Default settings of Client Hints,” “User Con fi guration,” and “Server Preferences” • Opt-in mechanisms for negotiation (which header fi elds need to be sent) is described in Client Hints Infrastructure* Use Agent HTTP Server Default settings of Client Hints User Con fi guration Server Preferences 1. Request 2. Response Accept-CH headers * Client Hints Infrastructure https://wicg.github.io/client-hints-infrastructure/ First time Client Hints 7
(Step 2) When HTTP request (Request) includes Client Hints headers, HTTP server optimize HTTP response. • If the HTTP response is cacheable, HTTP server MUST includes a “Vary” header. • To indicate which Client Hints can a ff ect the selected HTTP response • To indicate ether the selected HTTP response is appropriate for a later request Use Agent HTTP Server Client Hints 1. Request 2. Response Second time or later 8
fi ned in RFC 7231* • Represents the information to decide HTTP response contents by HTTP request headers excluding HTTP Method, Host header, request target. • (Example) →Additional information to decide HTTP response contents: accept-encoding, accept-language *RFC 7231 https://datatracker.ietf.org/doc/html/rfc7231#section-7.1.4 Vary: accept-encoding, accept-language 9
Accept-CH headers format in ABNF: • This header has a “Structured Header” which is de fi ned in RFC 8941*. • Example: • When a user agent receives an HTTP response containing Accept-CH, the user agent is able to send an request which contains corresponding headers. • Whether a header is included in an HTTP request or not is persistent on the same origin. Accept-CH = sf-list Accept-CH: Sec-CH-Example, Sec-CH-Example-2 *RFC 8941 https://datatracker.ietf.org/doc/html/rfc8941#name-structured-data-types Use Agent HTTP Server Client Hints 1. Request 2. Response Vary: Sec-CH-Example, Sec-CH-Example-2 10
“privacy-preserving proactive content negotiation” (Vary header) • Avoid exposing information about passive fi ngerprinting vectors • Uncontrolled and unmonitored “privacy-preserving proactive content negotiation” has information exposure risks due to features abuse in Client Hints. • To prevent this abuse, user agents has to apply further policies to prevent abuse 12
following points to avoid information exposure. 13 “The underlying assumption is that exposing information about the user as a request header is equivalent (from a security perspective) to exposing this information by other means. (For example, if the request's origin can access that information using JavaScript APIs and transmit it to its servers.)” Use Agent (request’s origin) Servers Send information (display size, OS) 13 Get information (display size, OS) Assume user agents by received information
provide new information that is otherwise not made available to the application by the user agent, such as existing request headers, HTML, CSS, or JavaScript. • Client Hints enable “privacy-preserving proactive content negotiation” • Scripts such as Save-Data Client Hints* causes information exposure without increasing the passive fi ngerprinting surface. 14 * https://wicg.github.io/savedata/#save-data-request-header- fi eld Use Agent Servers User-Agent: chrome …
“Exposing highly granular data can be used to help identify users across multiple requests to di ff erent origins.” 2. Sensitivity “information available to the application, but gated behind speci fi c user actions (e.g., a permission prompt or user activation), SHOULD NOT be exposed as a Client Hint.” 3. Change over time “The feature SHOULD NOT expose user information that changes over time, unless the state change itself is also exposed (e.g., through JavaScript callbacks).” 15
“Implementers SHOULD restrict delivery of some or all Client Hints header fi elds to the opt-in origin only, unless the opt-in origin has explicitly delegated permission to another origin to request Client Hints header fi elds.” • “User agents MUST clear persisted opt-in preferences when any one of site data, browsing cache, cookies, or similar are cleared.” 16 Use Agent Server1 Request Client Hints Server2 Request Client Hints
of new request headers • Field name con fl icts between existing headers and Client Hints headers • User Agent behavior based on header fi eld name • User Agent prevents access to Sec- pre fi x on header fi eld name from scripts or other app contents • Request header fi eld name for Client Hints ought to contain CH- pre fi x 18
tracks access to active fi ngerprinting information SHOULD consider emission of Client Hints headers similar to the way it would consider access to the equivalent API.” • In research, Compare HTTP response including Client Hints with other HTTP responses 20
Hints causes HTTP request byte increases • HTTP header compression mitigates HTTP request byte increases • “Servers SHOULD take that into account when opting in to receive Client Hints and SHOULD NOT opt-in to receive hints unless they are to be used for content adaptation purposes.” 21
tomoyk
chou500
kazushi_ohata
sonatard
fullkaiten
ken5scal
akexorcist
tacck
sansantech
kakehashi
cyberagentdevelopers
oracle4engineer
kaminashi
bermonpainter
trallard
smashingmag
morganepeng
destraynor
sergeychernyshev
kneath
jonyablonski
carmenintech
skipperchong
colly
chrislema
