Add window.clientInformation

[domenic]

See https://bugs.chromium.org/p/chromium/issues/detail?id=692832. Apparently this is an alias for navigator in Chrome, Edge, and Safari. It has high use counter values (0.3%), although presumably a lot of that is just code that enumerates the properties of window. Some example uses in GitHub code search.

I think this will mostly involve adding a sentence at https://html.spec.whatwg.org/#the-navigator-object saying e.g.

The clientInformation attribute of the Window interface must return the same value as the navigator attribute.

and also updating the IDL at https://html.spec.whatwg.org/#window

Marking this as a "good first bug". Another thing that first-time contributors could help with here is writing tests and submitting them to web-platform-tests; it should be a pretty simple test file, e.g. at https://github.com/w3c/web-platform-tests/tree/master/html/webappapis/system-state-and-capabilities/the-navigator-object which just contains a single assert_equals.

[annevk]

The IDL for the Window object also needs to be updated. And I'd prefer it if we didn't state requirements in terms of other attributes. Perhaps the description of the navigator attribute can be updated instead, as both need to return the same object.

[foolip]

@LoonyBean, if you feel like changing a spec instead of Blink, this would be a good one to start with.

[zcorpan]

1093 matches in httparchive

https://gist.github.com/zcorpan/7b801bd145332fead70b290894634151

No bugs in bugzilla.mozilla.org.

It's possible that there are some cases where this is used specifically as a "is Gecko" check. In fact I found http://www.yapo.cl/js-34719/home.js where adding clientInformation in Firefox makes the script detect Firefox as Chrome. (I don't know if that has other consequences for this page.)

http://software.hixie.ch/utilities/js/live-dom-viewer/saved/4903

But then there are likely also unconditional uses of clientInformation that is currently hurting Firefox. Like https://github.com/johannesboyne/mobileHashtagRewrite/blob/0863f928e1b9a13e960027da97e21a38b69a428b/gotoMobile.js (found via the GitHub search cited above)

cc @miketaylr

[foolip]

https://storage.googleapis.com/blink-httparchive-export/clientInformation.json are the 1344 hits for "clientInformation" in httparchive and https://github.com/foolip/unhar/blob/master/unjson is a script that can split it into individual files.

At a glance, it's mostly used as some form of UA sniffing or another, perhaps most interesting is this bit from http://images.sohu.com/cs/jsfile/js/c.js:

function f() {
    var h = "track" in document.createElement("track");
    var g = window.chrome && window.chrome.webstore ? Object.keys(window.chrome.webstore).length : 0;
    if (d(/^sogou/i, 0)) {
        return "sogou"
    }
    if (d(/^liebao/i, 0)) {
        return "liebao"
    }
    if (window.clientInformation && window.clientInformation.languages && window.clientInformation.languages.length > 2) {
        return "chrome"
    }
    if (h) {
        return g > 1 ? "360ee" : "360se"
    }
    return ""
}

Where the call to f() is gated on a previous navigator.userAgent check of some sort.

From this quick check, I didn't find anything that would obviously categorize Gecko as Chrome, but you never know. FYI @smaug----

[foolip]

Oops, I'm obviously slower at research than @zcorpan and not as good either :)

[muodov]

It seems like a convenient ticket to get started with contributions to both HTML spec and WPT, so I'd be happy to work on it.
Considering the results of @zcorpan"s and @foolip's research, is it still a good idea to make this part of the standard? One might say clientInformation doesn't add a practical value other than breaking those fingerprinting snippets.

[foolip]

@muodov I think this is indeed a good starter bug, both the spec and test updates should be fairly straightforward.

Before proceeding, it's probably worth checking if Mozilla are supportive of this, since Gecko is the engine that would be failing the new tests. @annevk @miketaylr who would be a good person to say yay/nay on this one?

[smaug----]

Have other engines considered removing the rather useless property?

[foolip]

Yes, I've considered trying it for sure, every time I've come across it. However, the usage is high and can't explained only by enumeration of attributes on window, since it's ~1% higher than another useless attribute, window.offscreenBuffering:
https://www.chromestatus.com/metrics/feature/timeline/popularity/356
https://www.chromestatus.com/metrics/feature/timeline/popularity/695

There is also risk for Gecko in adding it, namely the risk that Firefox gets classified as Safari or Chrome and goes down a wrong code path. If that risk seems too big to bother with this, then we should probably go down the path of https://html.spec.whatwg.org/multipage/system-state.html#concept-navigator-compatibility-mode for this.

[miketaylr]

There is also risk for Gecko in adding it, namely the risk that Firefox gets classified as Safari or Chrome and goes down a wrong code path.

I'd like to look into this part specifically -- I'm not aware of any sites breaking due to us not supporting clientInformation.

I took the files from #2379 (comment) and ran them through prettier to be easier to look at. Most of them are here (a few were discarded, namely CSS files and HTML docs):

https://github.com/miketaylr/clientInformation-files

(There's some de-dupe work that could be done, but it doesn't seem worth the effort)

[muodov]

@foolip I'm doing some work in miketaylr/clientInformation-files#1 to classify those samples. So far it seems like clientInformation is used by several common libraries for browser detection and fingerprinting. This is not just Window enumeration, but should not "break" if clientInformation is removed.
What are the current guidelines/criteria for feature removal in Chromium?

[zcorpan]

@muodov nice work! I would suggest to file an issue for chromium and webkit to remove it, citing this issue and the research in miketaylr/clientInformation-files#1 with a summary and your conclusion.

For Chromium, I think https://www.chromium.org/blink/removing-features are current guidelines.