New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should the Accept-CH header restrict hints available in Navigator? #26
Comments
The intent is for the page to opt-in to receiving the information it requires. The page can do that in the form of a Client Hints (using So, having the API work even if the server has not requested the Client Hints is WAI. Closing, but let me know if you have further questions. |
That covers my question, thanks! |
@yoavweiss related to the ticket, I understand the |
At least as defined right now, the Feature Policy is restricting the exposure of the information through Client Hints but not through |
From a fingerprinting- and ua-sniffing (or should I say "hint sniffing") perspective I struggle to see the logic behind that differentiation.
I'd propose a feature policy is required to access |
#37 seems like a better approach to achieve the same: an opt-in that enables limiting 3P exposure to Let's continue the discussion there |
I'm unclear on the intent of the interaction (if any) between the
Accept-CH
header and the Navigator-level functiongetUserAgent
.I would assume (and I would prefer) that any client hint not marked as accepted in the header set by the server-response should not be available to javascript operating on the page? But this isn't fully clear in the given documentation. I tested this in Canary (presumably the intended design of the feature) and did not get the expected result.
Page tested with: https://ua-client-hints-test.glitch.me/?client_hints_to_exclude=Arch
Code: https://glitch.com/edit/#!/ua-client-hints-test?path=server.js:38:56
You will note that on 2nd load the server, as expected, does not read a
sec-ch-ua-arch
value, however thenavigator.getUserAgent
function does return that value.Is that the intended behavior?
The text was updated successfully, but these errors were encountered: