Client Hints

Client Hintsare a set ofHTTP Header fieldsand aJavaScriptweb application programming interface (API)for proactivecontent negotiationin theHypertext Transfer Protocol(HTTP). The client can advertise information about itself through these fields so theservercan determine which resources should be included in its response. Initially proposed in 2013 by engineers atGoogle,Client Hints were presented as a privacy-preserving alternative touser-agent headerstrings as part of Google'sPrivacy Sandboxinitiative. The initial design of Client Hints faced pushback from browser vendors due to various privacy concerns. As of May 2024, over 75% of all internet traffic supports Client Hints. Despite this widespread adoption, privacy researchers have raised concerns that Client Hints are primarily being used by tracking scripts.

Since the early days of the internet, there has been a desire to identify what kind of client a user was using to connect to a server. In 1992, an extension to theHTTPprotocol was introduced adding aUser-AgentHTTP Headerwhich was sent from the client to the server and contained a simple string identifying the name of the client and its version. The header was meant purely for statistical purposes and for tracking down clients that violated the protocol. Since then, with the evolution of the internet, User-Agents became increasingly more complex, and started containing significant granular information about the user. Often, this information is used inbrowser fingerprinting,allowing sites to track users across sites passively without having to load anyJavaScriptfor the user.^[1]

The original draft for the client-hint specification was proposed in 2013 by engineers atGoogle.The specifications became an officialInternet Engineering Task Force(IETF) draft in November 2015. Subsequently, in 2021, the specification was upgraded to an experimental RFC. Around the same time, the specifications for handling HTTP client hints on the web were published as a draft in a W3C Community Group Report.^[2]

In 2020, Google announced their intention to deprecateuser-agent(UA) strings as part of theirPrivacy Sandboxinitiative, citing client-hints as a privacy-preserving alternative.^[1]The initial client-hints proposal was met with pushback from otherbrowservendors due to privacy concerns.Mozilla,the company that makesFirefox,initially classified the proposal as harmful, andAppletook a negative stance against the proposal.^[1]Bravealso raised concerns about the initial proposal, citing ways in which it could be used to track users on the internet.^[3]Despite these concerns,Chromeimplemented support for HTTP Client Hints in August 2020. While the deprecation of the UA strings was delayed due to theCOVID-19 pandemic,this process was completed in February 2023.^[1]

Since their initial opposition, Mozilla and Apple have updated their stance to neutral, and Brave has synchronized its implementation of client hints with that of Chrome. As of May 2024, over 75% of all traffic on the internet supports client hints.^[2]

The Client Hints protocol defines two entities: auser agent(UA) (typically abrowser) and aserver.These two entities communicate with each other to negotiate what kind of content should be served to the user.^[4]The process involves the server sending the UA a response with anAccept-CHHTTP Header,containing a list of Client Hint HTTP headers that it requires. Subsequently, the UA is expected to return the requested client hints with each subsequent response, provided it supports those hints. These headers are then used by the server to make decisions on what kind of content to serve the UA.^[2]If the UA does not understand or support a particular client hint then the UA is instructed to ignore the particular client hint. In cases where the Client-Hints cannot be cached, the server must specify the applicable client hints headers in a separateVaryheader sent to the UA.^[1]This ensures that caching mechanisms understand that responses can vary based on different client hint values.^[5]For client hints that specifically identify a browser, additional random browser identifiers are included asgreasein order to preventprotocol ossificationaroundbrowser sniffing.^[6]

For UAs that allowJavaScript,an additional option is available through thenavigator.userAgentDataJavaScript API. This API enables JavaScript to retrieve the same information as provided by the Client Hints headers.^[1]

To initiate acontent negotiation,a HTTP server appends theAccept-CHheader to the response of a HTTP request:

HTTP/1.1200OK
...
Accept-CH: Viewport-Width
...

If the user-agent supports the view-port width client hint, the user-agent will append theViewport-Widthheader in every subsequent request,

GET/galleryHTTP/1.1
...
Viewport-Width: 1920
...

the server can then use the information in theViewport-Widthheader to make a decision about the kind of content to serve the user-agent. For example, if the server has a particular image that is extremely large, the server can be configured to return smaller image if the image does not fit theviewport.^[7]

When the client-hints proposal was originally published, it was met with significant privacy concerns. Browser vendors likeBraveandMozillapointed out that a particular provision in the initial draft of the proposal allowed websites to instruct the browser to provide Client-Hint data to third-party domains. Third-party domains are domains that do not execute any JavaScript code, but rather load resources like images and script files.^[3]The provision in the initial draft would allow these third-party domains likecontent delivery networks(CDN) andcloud service providerslikeCloudflareandGoogle Cloud(called TLS terminators) to track users across the web by instructing the browser to send client-hint information to their servers.^[3][8]Additionally, concerns were also raised that the Client-Hint proposal was too permissive and explicitly allowed for new privacy compromising information that could not be obtained by simply parsingHTTP Headersto be leaked to servers.^[8]Additionally extensions that aim to preserve a user's privacy like theNoScript extensionalso opposed the proposal on the grounds that it would make it significantly harder to prevent sites from exfiltrating privacy-compromising information about users.^[3]

Since the adoption of Client Hints by major browsers, privacy researchers have raised concerns over their real-world use for tracking. A 2023 study by researchers fromKU LeuvenandRadboud Universityfound that out of a crawl of over 100,000 websites, 60% of the scripts accessed the Client HintsJavaScriptAPIs, with most being tracking andadvertisingscripts, many of which came fromGoogle.Over 90% of these scripts exfiltrated the obtained data to tracking domains.^[1]A subsequent study in May 2024 by researchers from theHochschule Bonn-Rhein-Sieg University of Applied Sciencesnoted that while overall adoption of Client Hints across the internet was low, a significant number of third-party domains known for tracking accessed HTTP Client Hints data.^[2]

• Browser sniffing

• User-Agent Client Hints – Draft Community Group Report, 9 February 2021