Google intends to deprecate the user agent string in Chrome.
According to the proposal, the first step is to deprecate the “navigator.userAgent” method used to access the User Agent string, suggested to start in March with Chrome 81. This change won’t have any visible effect for most people, and websites will continue to work completely as normal. However, web developers will be given explicit warnings in the Chrome development console that retrieving the User Agent string is no longer a good idea.
Next, with the release of Chrome 83 in June, Google will begin to freeze, or stop updating, the User Agent string with each update to Chrome. At the same time, Chrome will also “unify” the information shared about your device’s operating system, for example meaning that two computers on slightly different Windows 10 updates should have the same User Agent. This will eliminate one more potential fingerprinting method.
Finally, beginning in September’s Chrome 85 release, every Chrome rowser running on a desktop operating system, such as Windows, macOS, or Linux, will report the exact same User Agent string, eliminating all possible User Agent fingerprinting. Similarly, Chrome 85 will unify the User Agent on mobile devices, though devices will apparently be lumped into one of a few categories based on screen size.
User agent strings have long outlived their usefulness, and today only serve to artificially restrict browser access in the stupidest of ways. I’m obviously not comfortable with Google spearheading this effort, so I’m counting on a lot of scrutiny from the web community and other browser makers.
When combined with Google’s interest in getting rid of cookies (https://www.nbcnews.com/tech/tech-news/cookies-track-you-across-internet-google-wants-phase-them-out-n1115156) this looks like Google trying to close the door on any future competitors – they have the AI and assets to track users, so they need to prevent any newcomers from challenging them through agent strings and cookies (despite the fact that both are still useful)
‘The1stImmortal
When combined with Google’s interest in getting rid of cookies (https://www.nbcnews.com/tech/tech-news/cookies-track-you-across-internet-google-wants-phase-them-out-n1115156) this looks like Google trying to close the door on any future competitors – they have the AI and assets to track users, so they need to prevent any newcomers from challenging them through agent strings and cookies (despite the fact that both are still useful)’
>
>
Useful to whom? Certainly not the people who’s information you’re using without their permission.
Cookies in general are useful to add state to simple websites without additional overhead. UA strings, given they’re headers, are not only visible to the website and browser but to the web server, and the web server sometimes needs to modify the way it serves pages based on known compatibility issues (eg, some browsers don’t support some compression schemes).
Most of the replacement for these kinds of features focus on the browser and the web code, not web servers, proxies, etc – essential infrastructure that web devs usually ignore.
The1stImmortal,
Agree, cookies are extremely useful useful for websites, like osnews, ecommerce, etc. The use of cookies in and of itself doesn’t imply anything controversial. Most of the privacy problems arise through the use of 3rd party cookies such as those used by google for tracking users across sites. 3rd party tracking cookies are the worst of the worst in terms of privacy since they track you across websites everywhere you go without your consent or even awareness.
Yes, and it does have legitimate uses. Some sites direct you to the right download for your platform based on the UA string. This is a nice touch that I presume is going to break in the future when they deprecate UA strings. I really don’t see the point in breaking UA strings if the browser is going to leak the same data via UA hints API. If it provides the same information, then I don’t see a problem. It’s only a problem for privacy because UA strings today are just too detailed.
Obviously the user agent string can be misused, both technically misusing it for feature detection (much less common than it used to be when IE dominated), and for tracking. However to suggest it doesn’t have valid uses (or that compatibility is solved) goes too far IMHO. It can be very useful to know what users are running to focus development priorities.
As for tracking users via the UA string, one obvious solution (that still provides value to web developers) is just to make it much less descriptive. From the webmaster point of view, there’s really no need for it to be as detailed as it is:
https://www.whoishostingthis.com/tools/user-agent/
“Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”
So I personally don’t mind making it less descriptive if it still broadly describes the platform. To most developers who aren’t using the UA for tracking, the broad information is much more useful anyways and doesn’t add much tracking value.
I concede, the article does make a good points about UA discrimination. Most websites don’t have an incentive to discriminate against user agents. Ironically though it’s often the companies that make the browsers who are guilty of this (ie microsoft and google).
So although it won’t change website development too much, it obviously makes it harder obtain an accurate picture of what platforms your users prefer.
‘So although it won’t change website development too much, it obviously makes it harder obtain an accurate picture of what platforms your users prefer.’
>
>
And what’s wrong with using generic HTML as website used to? Why should the platform their using even even matter?
Gmail is a perfect example of this kind of website crap. I use plain HTML with it because I can’t stand wadding though the crap interface it throws at you in it’s default state
yoko-t,
(emphasis mine)
This seems backwards to me, today’s websites are more portable than ever. CSS can deliver the same HTML content across many devices, and it actually works even across mobile and desktop! When you go back in the past though, browsers were notoriously incompatible and these incompatibilities were the bane of web developers everywhere. It was often necessary to code multiple versions of HTML and javascript specific to browsers and UA strings to see which versions to serve. For example, many webservers required UA based rules to work around bugs like the IE gzip bugs.
https://www.webveteran.com/blog/web-coding/coldfusion/fix-for-ie6-and-gzip-compressed-javascripts/
It doesn’t feel that long ago, but for those of us who worked as webdevs back then, this absolutely sucked and these days web development is so much better! Alas, it’s not perfect and I still see some platform/browser specific bugs at times, but fortunately it’s rare and sometimes possible to workaround in a portable way. Disabling UA strings can make it harder to track down problems. They do serve legitimate purposes at a high level, but the problem is how much detail they leak, it’s too much.
I don’t use Gmail at all, anyone who cares about privacy really should be avoiding google. Google and facebook are by far the most invasive corporations today IMHO.
if chrome stops providing UA, i suppose safe assumption is to treat the client as full featured browser. otherwise existing rules apply.
it doesn’t mean that every browser out there has to drop it as well. it may make it problematic to figure out how many people use which browser, but i guess chrome is chock-full of necessary telemetry to work without that.
Sometimes Pale Moon is seen as an old version of Firefox, and I am told to “upgrade”. It just happened at Github.
The replacement is UA Client Hints.
https://wicg.github.io/ua-client-hints/
Mozilla and Apple are on board with this, and Apple has already tried freeze the UA string. They rolled some of it back. (I can’t find a link for this.)
https://developer.mozilla.org/en-US/docs/Glossary/Client_hints
https://twitter.com/dassurma/status/1217082509839781888?s=21
Anyway, that’s been a dream for a long time. Someone posted a link from the ~’90s-’00s dreaming about this. UA Client Hints seems like a better way of finding capabilities, and it should benefit third-party browsers.
How to https://www.hyderabadescortservices.in/ Book Escorts in Hyderabad
‘I don’t use Gmail at all, anyone who cares about privacy really should be avoiding google. Google and facebook are by far the most invasive corporations today IMHO.’
>
>
Some of us don’t have ISP’s that provide email addresses like they once did in the past, and don’t want to go though the hassle of setting up an email server for the low volume of email they generate.
yoko-t,
Yes, I find there are a lot of people who claim to care about privacy when you ask, but then they’ll ignore all of that when it’s convenient so they can keep googling and facebooking. There’s a big gap between what people say and what people do. Those of us who follow through with what we say by taking action are the minority.