It's pretty obvious how this information can be used to track users across domains. The draft itself has some language in it that kinda sound like disclaimers such as:
"Transmitted Client Hints header fields SHOULD NOT provide new information that is otherwise not available to the application via other means, such as using HTML, CSS, or JavaScript."
However, this spec really neatly wraps all this information together in a package that will make it much more easy to abuse.
This takes information primarily available via JavaScript and makes it available in a declarative form that doesn't require running scripts on the client. This means less code running on the client.
Not saying there's also a positive use-case for this. Many web features are used for nefarious purposes. Do you disagree that this feature makes it easier to track people around the web?
Thats seems extremely naive given that Google is also the browser vendor and they greatly benefit from tracking, and last to adopt privacy features. I highly doubt users will be given an obvious choice to turn this off.
I'm surprised there's a "Width" field but not a "Height" field. It makes sense for the request a browser makes to get an img to include the dimensions.
"Transmitted Client Hints header fields SHOULD NOT provide new information that is otherwise not available to the application via other means, such as using HTML, CSS, or JavaScript."
However, this spec really neatly wraps all this information together in a package that will make it much more easy to abuse.