[Beltalowda]

> A large entity like Akamai should not have relied on UA without preparing cleaner solutions built with the browser vendors

The current solution works; there is no problem here.

> The proof of this is in the very existence of this article from Akamai. They are "screwed" [1] because they can't really do what they are doing the way they are doing it.

This is a rather odd interpretation of the article; they just switched from User-Agent header to UA Client Hints. UA Client Hints are the same as the User-Agent string, except delivered through a different mechanism. It's little more than s/one-thing/other-thing-thats-basically-the-same-but-different/

I resent how the Chrome team is handling this because it's forcibly creating work for a large number of developers for no good reason in particular other than "this other interface is a little bit nicer".

[jraph]

Ah yes, you are right, I misread this a bit.

Well, then if the UA string is reduced for privacy reasons but the server can still ask for the information, the benefits are quite unclear.

UA strings need to be solved but I also agree that Chrome single-handledly deciding the standard is annoying.

[Beltalowda]

The biggest privacy impact is just vendors putting bonkers things in the User-Agent string by choice. Mobile browser vendors in particular put all sort of things in there: the device model is pretty much standard for no good reason in particular, but you also see very specific OS build versions, device settings, and the like. Some Android vendors in particular are real bad about this.

I have no expectation that will stop no matter what we do with the tech. They made the decision to stuff it in there for whatever reason and will find somewhere else to stuff it.

> UA strings need to be solved

At this point, just getting the browser name and system name out of a User-Agent string is not as hard as it's sometimes made out to be; things could probably be simplified a bit (does Chrome really need to send "KHTML like Gecko"? Probably not), and vendors could choose to send less information (like Firefox already does, and has for many years).

I mean, it's a bit more messy than it needs to be; removing the "Mozilla/5.0" that every browser sends probably will break some things as it's a bad but quick and surprisingly effective way to check if a browser is a bot, but ... is it really that big of a deal that every browser sends that? Is it really worth the effort replacing that?

[richsalz]

The privacy impact is that the server asks for what it wants, and the client (browser) can decide what to send.