
Google is working on a HTTP extension for exposing more client information - treve
https://tools.ietf.org/html/draft-ietf-httpbis-client-hints-06
======
treve
It's pretty obvious how this information can be used to track users across
domains. The draft itself has some language in it that kinda sound like
disclaimers such as:

"Transmitted Client Hints header fields SHOULD NOT provide new information
that is otherwise not available to the application via other means, such as
using HTML, CSS, or JavaScript."

However, this spec really neatly wraps all this information together in a
package that will make it much more easy to abuse.

~~~
JoshTriplett
This takes information primarily available via JavaScript and makes it
available in a declarative form that doesn't require running scripts on the
client. This means _less_ code running on the client.

~~~
treve
Yea this is kind of the point. You won't need client-side code to create
persistent tracking systems.

~~~
JoshTriplett
Or to do useful things like adapt image sizes and resolutions.

~~~
treve
Not saying there's also a positive use-case for this. Many web features are
used for nefarious purposes. Do you disagree that this feature makes it easier
to track people around the web?

~~~
JoshTriplett
Yes, I disagree. Your browser will provide control over it, and all the
information is already available via JavaScript anyway.

Also, browsers could round viewport width information to the nearest popular
size.

~~~
treve
Thats seems extremely naive given that Google is also the browser vendor and
they greatly benefit from tracking, and last to adopt privacy features. I
highly doubt users will be given an obvious choice to turn this off.

------
JoshTriplett
I'm surprised there's a "Width" field but not a "Height" field. It makes sense
for the request a browser makes to get an img to include the dimensions.

