Comments (4)
@kdeckard thank you for driving the discussion!
so the client hints will basically require subsequent requests after the first one, if the server needs more detailed information.
The client only sends the so called low entropy headers on the first request, which contain information, which is considered non sensitive.
I like this idea of asking the client while the server can be configured by default to asking for more info or not.
I just don't like the implementation. I was expecting something much more simple.
This should be like the CORS "preflight" request, via OPTIONS
, where the browser client asks "hey can I actually perform this request?".
Here is my understanding so far:
I believe that if you implement a detection solution at the PHP-level, you will have a round trip.
Most of websites are on shared hosting, say an Apache that might be configured in a conservative way (e.g. "don't request any additional headers by default"). So as a developer I have to make sure my index.php
has an Accept-CH
header with as many values as I need for detection to work: Device-Memory, DPR, Viewport-Width, ... and so on
. Only after this, the library will be able to pick up details from the subsequent HTTP request headers.
My guts tells me that we're underestimating the power of the User-Agent
header string, just like I underestimated the actual use case of the Mobile_Detect
library ... I thought this will die in 2 years max since I took over the development.
We need to look inward to what we have rather then invent new HTTP headers and properties, which will lead to custom parsing techniques and opinionated rules anyway.
from mobile-detect.
We need to look inward to what we have rather then invent new HTTP headers and properties, which will lead to custom parsing techniques and opinionated rules anyway.
I strongly agree. Unfortunately, it seems reality is often more like this:
from mobile-detect.
@kdeckard thank you for bringing this up again!
Client Hints enforce a model where the server must ask the browser for a set of data about the client (the hints) and the browser applies its own policies or user configuration to determine what data is returned.
I like the idea of the server to explicitly require for full/partial browser specs. eg. Accept-CH: Sec-CH-UA-Full-Version-List
.
It's unclear to me if this requires two requests, or the first one is an OPTION request.
By default, the browser returns the browser brand, significant / major version, platform, and an indicator if the client is a mobile device:
Sec-CH-UA: "Chromium";v="93", "Google Chrome";v="93", " Not;A Brand";v="99" Sec-CH-UA-Mobile: ?0 Sec-CH-UA-Platform: "macOS"
This is horrible.
The only advantage is that this is more explicitly declared in a key/value structure (HTTP headers).
Sec-CH-UA-Model
| "Pixel 3" | The device model.
So Sec-CH-UA-Model
will contain the device label (name) per-se, still from my experience with User-Agents, manufacturers will attempt to inject their own tokens/headers: https://github.com/serbanghita/Mobile-Detect/blob/5.x/tests/providers/vendors/ZTE.php#L7
I think there's the firmware build missing from the specs. There are multiple Android 12 builds https://github.com/serbanghita/Mobile-Detect/blob/5.x/tests/providers/vendors/Samsung.php#L253-L257
UA reduction
Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.0.0 Mobile Safari/537.36
Sure this is a theoretic win to privacy but it doesn't make sense without weighting in pros/cons.
First Chrome/93.0.0.0.0
will be really confusing to debug when customers report UI bugs due to a minor browser update.
Second, replacing the device name SM-A205U
with K
can actually trigger false assumptions by existing sniffers. In Mobile_Detect case, we could no longer determine if the device is a tablet or a simple phone.
I would simply go with a backward compatible refactor of UA.
Old UA: Mozilla/5.0 (Linux; Android 9; SM-T810) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.1234.56 Safari/537.36
New UA: Chrome/93.0.1234.56 ; Android/9 ; Linux ; SM-T810 ; {{GARBAGE STRINGS}}
So the new structure will be Browser/ver ; OS/ver/build ; OS Family ; Device name ; {{GARBAGE STRINGS}}
from mobile-detect.
Hi,
so the client hints will basically require subsequent requests after the first one, if the server needs more detailed information.
Roughly broken down:
The client only sends the so called low entropy headers on the first request, which contain information, which is considered non sensitive. These include the headers: Save-Data
, Sec-CH-UA
, Sec-CH-UA-Mobile
and Sec-CH-UA-Platform
.
I am also quite sure that a client could decide to bail out here and don't send any headers on the first request at all, which would leave the server without any information.
All other information need to be requested by the server on demand via the the Accept-CH
. When the client then supports the hints, it can choose to append the information in subsequent requests.
Interestingly, there are mechanisms, which could be used like escape hatches. The proposal sums them up under the term client hint reliability.
A server can define the Critical-CH
response header along with Accept-CH
in it`s first response to a client. The client then should check if the "critical headers" were included in the first request. If not, it should re-send it automatically.
Example from MDN:
Server response:
HTTP/1.1 200 OK
Content-Type: text/html
Accept-CH: Sec-CH-Prefers-Reduced-Motion
Vary: Sec-CH-Prefers-Reduced-Motion
Critical-CH: Sec-CH-Prefers-Reduced-Motion
Client retry:
GET / HTTP/1.1
Host: example.com
Sec-CH-Prefers-Reduced-Motion: "reduce"
The emphasis here is on should, as for example Chrome supports it but Edge not (at least accordingly to DeviveAtlas and I could not find more on it in MS documentation).
Regarding your concerns about the reduced UA strings in Chrome:
In Mobile_Detect case, we could no longer determine if the device is a tablet or a simple phone.
Correct, that will be the case. They will completely remove the device information from the UAs and you can no longer make assumptions on it for mobile devices. The final rollout will be Chrome 113
with release scheduled for Tue, May 2, 2023
(https://chromiumdash.appspot.com/schedule).
Only platform not affected by it will be IOS / IpadOS and WebView.
from mobile-detect.
Related Issues (20)
- Use getters (ie. getTabletDevices()) HOT 4
- Not Work Properly HOT 3
- Safari on iPad: completely incorrect reports HOT 1
- Trying to get in touch regarding a security issue HOT 2
- MD v 3.74 - PHP Parse error: syntax error, unexpected 'array' (T_ARRAY), expecting function (T_FUNCTION) or const (T_CONST) in Mobile_Detect.php on line 245 HOT 1
- How to check Desktop site setting On OR Off in mobile browser
- isMobile doesn't cache matches HOT 2
- isEdge() return false on Edge Browser
- 4.8.x HOT 4
- isMobile and IsTablet failing on ios devices - using safari HOT 1
- Port functionality from `jenssegers/agent` HOT 11
- Restore implicit use of `HTTP_USER_AGENT` in 4.8.x branch HOT 3
- Chrome's user agent reduction results in no longer detecting Android tablets as a tablet device HOT 1
- Getting a Parse error on the latest version (4.8.03) on PHP 7.1.33 HOT 4
- Google SERP links open as the mobile version HOT 5
- [bug] No user-agent has been set HOT 18
- [bug] breaking change pushed as patch HOT 3
- Need advice on `No valid user-agent has been set` PHP Fatal error HOT 4
- Tablet IOS detection HOT 1
- I dont understand HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mobile-detect.