Fixes #196 - Add a Sec-CH-UA-Full-Version-List client hint

[miketaylr]

TODO:

• deprecate Sec-CH-UA-Full-Version
• should getHighEntropyHints return a FrozenArray for valueList?
• update README
• file corresponding CH Infra issue (to capture permissions policy), and coordinate landing that PR once this is ready
• https://wicg.github.io/ua-client-hints/#create-an-arbitrary-version needs to be updated to take an argument as well

---

💥 Error: 400 Bad Request 💥

PR Preview failed to build. (Last tried on Sep 13, 2021, 9:15 PM UTC).

More

PR Preview relies on a number of web services to run. There seems to be an issue with the following one:

🚨 CSS Spec Preprocessor - CSS Spec Preprocessor is the web service used to build Bikeshed specs.

🔗 Related URL

Error running preprocessor, returned code: 2.
FATAL ERROR: Couldn't load MDN Spec Links data for this spec.
Expecting value: line 1 column 1 (char 0)
 ✘  Did not generate, due to fatal errors

If you don't have enough information above to solve the error by yourself (or to understand to which web service the error is related to, if any), please file an issue.

[miketaylr]

@erik-anderson mind providing some feedback on this PR?

[yoavweiss]

High-level question on this: Initially, @mikewest defined Sec-CH-UA so that when an opt-in is provided, its processing fills in the full version instead of the significant version. We later removed that in favor of Full-Version, to make processing simpler (to not special case Sec-CH-UA). Maybe that was a mistake?

[mikewest]

High-level question on this: Initially, @mikewest defined Sec-CH-UA so that when an opt-in is provided, its processing fills in the full version instead of the significant version. We later removed that in favor of Full-Version, to make processing simpler (to not special case Sec-CH-UA). Maybe that was a mistake?

I still like the original version. :)

But given the way things have evolved, I'm not sure it's worth rolling everything back. Chrome has shipped Sec-CH-UA for a while now, and changing its semantics might be difficult.

[miketaylr]

Initially, @mikewest defined Sec-CH-UA so that when an opt-in is provided, its processing fills in the full version instead of the significant version. We later removed that in favor of Full-Version, to make processing simpler (to not special case Sec-CH-UA).

Hmm, that's pretty interesting, I think I missed out on that entirely! (Or knew at one point and just forgot... 🙈 ).

Recapping for myself: the early design was if you requested ua (now it would have to be sec-ch-ua) you would get a full-versioned brandlist, rather than the default significant versioned one.

I think folks might request sec-ch-ua to get at (full!) versions without understanding that they get significant versions for free, so a different-enough token would probably be desirable were we to take that approach. Maybe sec-ch-ua-full-version(s) could have powered that behavior... but that ship has sailed. I don't think we want to make stumbling into requesting extra entropy to be so easy. It wouldn't' surprise me to find code where folks request the full version list and parse it to get at a significant version.

And looking back to #45, I can see @yoavweiss had the same concerns. WDYT, @yoavweiss? Do we go back to the magic behavior with a different token (we could re-use this proposalssec-ch-ua-version-list), or do we introduce a new hint?

One one hand, there's fewer headers over the wire if you want full-version via sec-ch-ua, on the other, it's kind of magical or confusing.

Also interested in feedback from @erik-anderson.

[yoavweiss]

One one hand, there's fewer headers over the wire if you want full-version via sec-ch-ua, on the other, it's kind of magical or confusing.

Yeah, I agree with that description of the tension. Given that requesting for the full version should be rather rare, let's go with less magic and confusion.

[yoavweiss]

Do we have use counters for Full-Version? Could we just change its semantics in place (instead of rename)?

[miketaylr]

Let me check on that. It would be nicer if we could...

[miketaylr]

OK, we might have missed the boat here with 1.6% of page loads, sadly 😿:

https://chromestatus.com/metrics/feature/timeline/popularity/3189

[miketaylr]

@yoavweiss looks like it's too high to change here. Shall we continue review assuming a new hint?

[mikewest]

1.6% is an astoundingly high number. Do you have any insight into who's using this mechanism? Is there some large embedded resource that's causing this to show up on lots of sites, or are there large top-level sites opting in?

[miketaylr]

We know that YouTube has been experimenting with UA-CH (and sadly we caused a crash there, oops), and we have some other partners who have committed to doing some testing.

[yoavweiss]

It's unclear if what is passed is the version itself, or an instruction to operate on that version type. I think you meant the latter, but it might be worthwhile to pass an internal enum, and then refer internally to the right version type based on that enum.

Also, right now both significant version and full version are defined as a single version. It may be worthwhile to adapt their descriptions to indicate that, unlike Highlander, there can be more than one.

[miketaylr]

it might be worthwhile to pass an internal enum, and then refer internally to the right version type based on that enum

This sounds probably like what we want to do, but I'm not sure how to spec it. Are you aware of any other similar usage in a spec I can learn from, or have some suggestions?

[miketaylr]

@yoavweiss does ac95343 look better from your perspective?

[yoavweiss]

LGTM assuming we can't change semantics

[erik-anderson]

This addresses the concern I had in issue #196. Thanks!

[miketaylr]

This addresses the concern I had in issue #196. Thanks!

Thanks for the review! @erik-anderson any thoughts on Sec-CH-UA-Version-List vs Sec-CH-UA-Full-Version-List? Former is less chars to type, latter is more accurate/correct.

[erik-anderson]

This addresses the concern I had in issue #196. Thanks!

Thanks for the review! @erik-anderson any thoughts on Sec-CH-UA-Version-List vs Sec-CH-UA-Full-Version-List? Former is less chars to type, latter is more accurate/correct.

I don't think omitting it is less accurate, but it is indeed less verbose and may take someone staring at it slightly harder to understand that it provides full version numbers. I think it would be fine to omit the word "Full" and just spec it to return full versions; that's my slight preference.

[yoavweiss]

Looks good! A few comments that can make it even gooder

[yoavweiss]

You're using [=user agent/full version=] here as both the type passed and its value. It's a bit weird.
Maybe instead you can define an internal enum (or string or whatever) that you pass to the algorithm, and then inside the algorithm, split the behavior based on the enum's value?

[miketaylr]

Thanks - I think I finally get what you mean. Let's land this PR here and I filed #254 to fix this up (should be able to do that this week).

[soffieswan041]

TODO:

• deprecate Sec-CH-UA-Full-Version
• should getHighEntropyHints return a FrozenArray for valueList?
• update README
• file corresponding CH Infra issue (to capture permissions policy), and coordinate landing that PR once this is ready
• https://wicg.github.io/ua-client-hints/#create-an-arbitrary-version needs to be updated to take an argument as well

Error: 400 Bad Request

PR Preview failed to build. (Last tried on Sep 13, 2021, 9:15 PM UTC).

More