[theandrewbailey]

I would rather have all this information (along with whatever is being inferred from them) be exposed through a Javascript API instead of having browsers indiscriminately flood global networks with potential PII.

Chrome came up with this? Figures. Stay evil, Google.

[esprehn]

Can you explain the attack vector where encrypted HTTPS network traffic is vulnerable but a JS API isn't?

[theandrewbailey]

Your browser opens an encrypted connection to somewhere you don't want it to (e.g. loads an image or iframe, JS not required). How many connections and resources does a normal web page load? 100? More? Almost nobody has time to audit all of them. Not technically inclined? You're screwed.

My secondary concern is that there would be more traffic going around the internet that isn't being used 99+% of the time.

[jedimastert]

There is a JS companion to this proposal that splits up the information in a similar way

https://wicg.github.io/ua-client-hints/#interface

[daveoc64]

A JavaScript API has been considered as a replacement for the user agent string, but it has two big downsides:

1) JavaScript must be enabled. If it's not, then the server can't get any of the user agent data - at all.

2) The server won't get the user agent data until after it has already responded to the first request it receives from a client. That makes it a lot less useful overall. Having to load a page, then perhaps redirect the user using JS based on what the JS API says is a bit untidy.