[lukev]

This doesn't make sense. The browser provides the user agent as a header in HTTP requests. They can't detect if or how the server is using that information.

Or do you mean your friend's product is a browser plugin? In which case, um, yes, I don't want it having access to any more information than it it needs to do it's job (and honestly, probably not even that.)

[re-thc]

> The browser provides the user agent as a header in HTTP requests.

They (Chrome) are taking it away [0].

[0]: https://developer.chrome.com/en/docs/privacy-sandbox/user-ag...

[matheusmoreira]

Excellent. Sites shouldn't know what user agent we're using anyway. Pretty much the only thing they use this for is to lock us out when we use "unsupported" browsers. The less information they get, the better. Hopefully they'll get rid of referrer too and weaken fingerprinting methods.

I have no doubt Google has self-serving motivations here but the result is still a win for us. I wish Firefox had enough leverage to force decisions like this down people's throats whether they like it or not but it just ain't so. Reality is imperfect so I'll take what I can get.

[sanderjd]

Yeah I tend to agree here... It really seems like none of the server's business what agent I'm using.

[matheusmoreira]

Yup. It's none of their business. They can't discriminate against us if they don't know anything about us.

[Fordec]

Can't trust you either. Are you a bot? Well it's good to assume you are by default, since it's the majority of internet traffic anyway. And for your privacy, you're not exactly forthcoming with data to now prove otherwise.

So sorry, until you pay with a unique individual bank account to prove identity, you can't post on future social media sites. You are a bot after all.

[matheusmoreira]

Even if I was a bot, what of it? Your site should serve bots just as well as it serves humans. Only people who care about that are those who want to monetize our eyeballs by selling our attention to the highest bidder.

If it's costing you money, have your HTTP server return 402 Payment Required instead of the free page. That's how it should be.

[technion]

I've always advocated for feature detection. If you test for typeof Object.assign !== 'function' you can be sure you have a reasonably recent browser. If you want fetch, test for window.fetch.

This sort of thing always feels like it's going against the grain, with someone always asking "why wouldn't you do this properly. You know, build an allow list of user agents and match against them". I fully support people being forced into detecting the features they want and doing away with this nonsense,

[matheusmoreira]

I don't think web developers should be able to detect stuff like that either. Their ability to detect stuff provides identifying bits for fingerprinting. As far as I'm concerned, all the browsers should normalize the return values of those typeofs and all related functions so that Javascript can figure out exactly zero bits of information about the environment it's running on. Just like browsers will lie to Javascript when it tries to figure out your browsing history by checking the color of links.

The web platform gave web developers way too much freedom and they're abusing it. God giveth and god taketh away.

[Groxx]

There's simply no way that can ever be built though. "Browser v2 provides X which will call argument 1 in 2 seconds" -> how would browser v1 possibly hide that it is not v2? Anyone can build a thing that checks for that behavior, and now you have a piece of information.

Or for more useful stuff, "X gets you data from URL Y". Either you get that data or you don't. Voila, data about the browser.

The only alternative is that you never ever release any new features or fix any bugs.

[matheusmoreira]

How does cryptography software avoid such side channels? Normalize the performance somehow.

If I remember correctly, Firefox's fingerprinting resistance will actually slow down functionality to achieve that. Reduces the precision of performance timers or something. Makes CAPTCHAs exponentially more obnoxious.

[raincole]

> Feature detection is too much power for developers

- People on HN.

[matheusmoreira]

Yes, it is too much power for them. Power which they abuse by fingerprinting us. Browser vendors agree with me: they reduced the power of developers by lying to Javascript when they tried to check link styles.

Do you think otherwise?

[SoftTalker]

There are plugins for Firefox that can make the user agent string anything you want.

[matheusmoreira]

It doesn't matter. Actually those plugins are straight up counterproductive.

The best user agent is the one that offers them the fewest identifying bits. In other words, the user agent of the most popular version of Chrome. The ability to set it to "anything we want" is actually a trap. What we really want is for everyone to use the exact same user agent so they can't tell us apart.

If everyone has the same user agent, it's nothing but a waste of bandwidth and it should be removed. Google is actually achieving our objective here.

[SoftTalker]

Well yeah, they have a pre-configured set of choices, e.g. "Chrome on Windows" but you can do something custom too, if you want.

[eru]

Firefox has plugins to set your user agent to Chrome.

[matheusmoreira]

Pointless. Firefox should just pretend to be Chrome by default without the user having to install plugins or even do literally anything. As should all the other browsers. Anything that leaks out the fact it's not Chrome should be considered a bug and fixed.

[infogulch]

I'm all on board calling Google out for slowly implementing a user data protection racket, where Google owns all the data and everyone else is squeezed out and has to go through Google as The central data broker. At the same time this user agent reduction thing seems like a decent idea at first blush and good for users privacy.

[dpkirchner]

TBH I'm surprised the User-Agent header has survived as long as it has. Referer, too.

[omoikane]

Referer is not quite the same as how it was. In recent years, the default behavior in most cases is for the browser to either send just the origin, or no referer at all.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Re...

"Origin" means no path, so the referer might tell me which search engine the user used, but not what search query was done. It's much better than in the old days, where I might even see someone's session ID in the referer.

[judge2020]

YouTube got around this in the earlier days since the referer header didn’t sent query strings. Maybe if referer hadn’t existed, YouTube urls would look like /watch/ViDeOID

[ravenstine]

That header and Referer were always a mistake. I don't think The Google's motivation is pure, but I agree in principle.

A lot of sites will break for people as a result, though. Maybe that's what The Google wants, though.

[satvikpendem]

> Referer were always a mistake

Yeah, it's even spelled wrong!

[elashri]

My web development knowledge is very limited. But isn't this the main method where simple websites (most static generators) used to decide if the user is browsing from a mobile or not and serve a version based on that?

I would appreciate it if someone explain what other things people do to tackle this, or if I'm completely wrong?

[jrajav]

Most responsive design is based on screen dimensions with CSS media queries these days, not on the actual class of device.

[dbbk]

Although really they should be using a pointer media query. Lots of sites I see randomly turn into mobile versions on desktop as soon as you resize the window narrow.

[eru]

Though I can see justifications for giving people a different UI depending on whether they use a touch screen or a mouse.

[matheusmoreira]

The modern solution is to use CSS with media queries. You tell the client how the site is supposed to look on various screen sizes. The client applies the rules without leaking any information about which rules it chose to apply.

[yjftsjthsd-h]

That's mostly done client-side these days; having the server treat clients differently doesn't happen as much anymore.

[rascul]

I think media queries have been the way to do that for awhile. Or I think there's some javascript trick to do it.

[cpburns2009]

The server now needs to respond with the Accept-CH header specifying it wants the client to send the mobile client header by including the "UA-Mobile" value. A compliant client will then send the Sec-CH-UA-Mobile header in its next request with either the value "?0" or "?1".

[ComputerGuru]

Not supported on iOS, which is a good chunk of the mobile traffic you’re trying to identify.

[jamesfinlayson]

I agree that user agent is not the best idea but it helps endlessly when you need to find out what browser a non techy person is using - just ask them to go to one of the endless sites that tells you what browser you're using based on the user agent string.

[xref]

Without Referer how will jwz dot org troll HN users?!

[soulofmischief]

If that were really their motive, a better strategy would be making user agent string customization a first-class feature.

[fiddlerwoaroof]

No, because approximately nobody would customize it.

[soulofmischief]

Then generalize it by default. I just can't buy that Google really has this motive when they simultaneously are introducing WEI.

[fiddlerwoaroof]

I think it’s a mistake to assume consistent intentions from a company as big as Google and a product as big as Chrome

[hedora]

They could also use the user agent: "", or omit the http header entirely.

[eru]

You can already do that with extension, can't you?

[soulofmischief]

An extension isn't first-class support, first-class means supported directly in the browser and easily discoverable.

[ben-schaaf]

Will that finally bring an end to having to use user-agent-switcher to get some sites to work on Firefox?