Introduction: What Are User-Agent Reduction and Client Hints?
In recent years, privacy concerns have driven significant changes in how browsers handle User-Agent strings. Traditionally used for identifying browser and device information, User-Agent strings have been reduced to limit the amount of information shared, thereby protecting user privacy. To address the limitations of User-Agent reduction, Client Hints have emerged as a solution, providing a more controlled and privacy-respecting way to share necessary information.
A Brief History of User-Agent Strings
User-Agent strings date back to the early days of web browsers, starting with Tim Berners-Lee’s WorldWideWeb. Initially, they were straightforward, providing basic browser and version information. Over time, they evolved to include detailed data about the operating system, device type, and more, which proved useful for web analytics and optimizing user experiences. However, this detail also enabled device fingerprinting, raising privacy concerns.
What is User-Agent Reduction?
User-Agent reduction aims to minimize the information in User-Agent strings to protect user privacy. High-entropy information like specific OS versions and hardware models is reduced. For example, Google’s Chrome now reports a less detailed User-Agent string:
- Before:
Mozilla/5.0 (Linux; Android 13; Pixel 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.2.1.0 Mobile Safari/537.36 - After:
Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.0.0 Mobile Safari/537.36
Similarly, Firefox and Safari have implemented their own versions of User-Agent reduction, although with slight differences based on their unique policies.
How Do Client Hints Work?
Client Hints provide a way to request specific, high-entropy information about the user's device and browser in a privacy-conscious manner. There are two primary methods to access Client Hints:
- HTTP Request Headers: Websites can request specific information about the user's browser and device using HTTP request headers. This is typically used in first-party contexts, ensuring detailed user information is only accessible to the primary website, not third-party resources.
- JavaScript API: Client Hints can also be accessed via the navigator.userAgentData object within JavaScript. This allows dynamic querying for specific information, such as architecture, model, and platform version, without setting additional headers.
Implementing Client Hints
Using HTTP Request Headers
To implement Client Hints via HTTP headers, the server needs to set the appropriate headers in the HTTP response, signaling the browser to include these hints in future requests. For example:
Accept-CH: Sec-CH-UA-Platform-Version
Subsequent requests from the browser will then include the platform version:
Sec-CH-UA-Platform-Version: "14.5.0"
Using JavaScript API
For dynamic applications, the JavaScript API provides flexibility. For example, using the getHighEntropyValues method:
if (navigator.userAgentData) {
navigator.userAgentData.getHighEntropyValues(['architecture', 'model', 'platformVersion'])
.then(ua => {
console.log(ua);
});
}
Recommendations for Developers
Depending on your specific needs, you may choose different methods to gather user environment data:
- Feature Detection: Use existing browser JavaScript APIs wherever possible. This is more reliable and future-proof than relying on User-Agent strings.
- Low-Entropy Information: For basic details like device type, the User-Agent string might still be sufficient.
- High-Entropy Information: Use Client Hints if detailed information is necessary and you have control over the domain.
Conclusion
User-Agent reduction and Client Hints represent significant steps towards enhancing user privacy while still allowing websites to gather necessary information for optimal functionality. By understanding and implementing these technologies, developers can balance the need for detailed user data with privacy and performance considerations.
Find out more on our detailed blog post.
Top comments (2)
Several feature detection options can be done in JavaScript or in CSS, and of course we should design our websites and apps using responsive design and progressive enhancement. HTML and CSS are more robust than JavaScript and browsers must ignore unknown elements and directives by design.
Apple has reduced their user agent information for a long time now, especially for iPhone, the device most notorious for outdated buggy browsers, so there are obscure feature detection combinations hopefully only targeting a specific range of mobile Safari.
We have been told not to rely on User-Agent strings for twenty years, but still, many web services do, including Cloudflare and Google. Try adding "Vivaldi" to your user agent string and see what happens and how many websites will show you a warning or don't let you use their service at all. That's how you lose customers.
😎