Hacker News new | past | comments | ask | show | jobs | submit | page 2 login
Blink-Dev – Intent to Deprecate and Freeze: The User-Agent string (groups.google.com)
378 points by jasonvorhe 4 days ago | hide | past | web | favorite | 288 comments

Quite happy that the market leader is taking this step! Hopefully this will decrease the problems with lacking feature detection.

I was surprised that the post doesn't contain any example user agent strings for a sample of how they are expected to look starting from the different milestones.

How much of the web depends on User Agent header?

Maybe it can be removed altogether with small whitelist of exceptions.

    general.useragent.override, String, leave empty
Looks fine so far

> It provides the required information only when the server requests it

In the interest of fingerprinting a server would request this every time.

> It provides the information in small increments, so servers are only exposed to the information they need and request

Then the server would need and request the most comprehensive list possible in order to fingerprint someone with better granularity than a UA string could.

I'm not against this as I appreciate the value of this kind on information for the developers. It would be done one way or another. But why is this billed as mainly a privacy move? Nothing suggests it intrinsically offers better privacy when facing a website configured to fingerprint you. It actually looks like it gives even more granular info over which the user has less control than they used to with the UA.

Is this going to make spoofing UA harder/redundant? If so it's bad news for a lot of projects.

How will this affect caniuse.com? I use it every day.

Ok. So how do we do OS detection then?

How do I know which (binary) download to offer my users?

Edit: How do I provide reasonable defaults when the user’s OS actually matters?

Don't. That's an anti-pattern in UX. People download binaries for different OSes all the time, so list links for all OSes you support.

Giving people a reasonable default is bad UX?

That’s a load of horseshit if I’ve ever heard it.

Websites presenting me with a big button to download a "reasonable" default and hiding everything else behind a small link that I have to go hunting gor is really annoying. There is nothing reasonable about it. Don't think that you know better what your users want then the users themselves.

Optimizing for the 99% use-case is fairly normal and reasonable.

iOS users will almost always install apps via the AppStore. Most Windows-users are probably not interested in a DMG. Are you really going to argue against that?

I agree that taking away options based on OS-detection is a seriously nasty UX anti-pattern though.

> iOS users will almost always install apps via the AppStore. Most Windows-users are probably not interested in a DMG. Are you really going to argue against that?

It may be true in the case of iOS and Android, because they are so locked down. However, on more powerful platforms that Windows, Mac and Linux are it isn't. I may want to run it in a VM, or not install it, but place it somewhere on a shared drive, or anything that a non-handicapped OS is capable of facilitating and many of these things will mean I will want a binary not meant to be run by my native OS. Sometimes it happens that one of my devices will break and so I want to use another one to download something that will help me fix the issue. But now I'm going to have to go full Sherlock Holmes on a website that thinks it knows better what I'm looking for.

In fairness, highlighting the right button for your OS and showing an 'other downloads' button is really a 'You' problem that probably only affects less than half of 1% of users. Almost all sites also show a 'other OS downloads' button. But this is all meaningless, as shown above, UA will be replaced by a client hint property.

What reasonable default? You don't know where people want to install your binaries and you do want people to know what other OSes you support. In UX if the number of choices is very small, like those couple of OSes you support, it is always best to present them all.

Every major player provides the reasonable default when downloading binaries. Every single one. There’s a reason for that.

Regular users are not technical and if you ask them to make a choice based on technical matters (Windows, MAC, Linux, Apple AppStore, Android AppStore, Chrone WebStore, whatever), where you instead could have had -1 clear choice- already presented by default in a big nice button, you will lose conversions or increase tech-support costs.

The evidence for this is so overwhelming that knowingly trying to ignore that makes it look like you have an agenda or horse to grind.

A good chunk of users don't know what OS they're running.

Perhaps you should propose a feature detection for it. It could look like the media source API for resolutions and formats for web video - except the same for binary formats for software.

No, these are not UX metrics, these are commercial metrics. There is a reason conversions and tech-support costs and almost all a/b tests and all that are not even remotely good UX metrics, as they do not exist to measure anything users care about in the product, only what companies care about.

Okay.so let’s hypothetically say I buy your argument that providing a reasonable default is bad UX.

In what other places of application development should we also stop providing reasonable defaults and force the user to choose instead?

- country? city?

- localization?

- number for local support hotline?

- email of logged in user?

- type of currency for payments?

No? Then why is having a reasonable default for downloads bad?

My "WebOptions" idea would permit the user to customize these and other settings (both globally and locally; there could be some set of "common" keys as well as supporting keys specific for the server), in a similar format to cookies, although the server and document scripts would not be allowed to set them, and the user only sets them explicitly. For email, there is a "From" header, so that can be used if it is available.

But anyways, the service should not make it difficult to download if it detects a wrong computer; it should allow it always, and should not be so difficult by trying to hide it.

The irony of Google purporting to protect users' privacy while at the same time:

- Chrome is still shipping with 3rd party cookies turned on by default (Safari and Firefox have them off, by default)

- Chrome usage stats are sent to Google including button clicks. This is admitted in the Chrome privacy policy.

- Chrome on mobile automatically shares your location with your default search engine i.e. Google

- Chrome sort of forces a login …which shares browser and user details history with Google

- Google redirects logins through the youtube.com domain to enable them to set a cookie for YouTube as well as Gmail or whatever, every time you login. Naughty stuff.

So the stated reason for the change doesn't appear to make sense, suggesting that something else is going on.

It amazes me that more people aren't calling Google out on this.

> So the stated reason for the change doesn't appear to make sense, suggesting that something else is going on.

That's unsubstantiated and dilutes the discussion IMO. If you read the post, the proposal outlines a bunch of good reasons to stop supporting UA strings (feature detection, etc)

> - Chrome sort of forces a login …which shares browser and user details history with Google

This doesn't get more true by just repeating it over and over. If you login to Google it'll show up in Chrome next to the address bar but it doesn't enable any syncing to Google servers. That's a different step and it requires opt-in. You can also use Chrome without logging in to any Google services.

I don't get why privacy advocates, who often have a point when talking about Google, have to rely on FUD.

Because most of the negative attention that Chromium receives is FUD by people that rely on feelings and not facts.

Invasion of privacy is a valid and serious concern. The fact is that Google is collecting sensitive information semi-consensually and semi-transparently and arguably shouldn't be.

Mostly by Firefox fanboys, who don't see that Firefox has been turned into a Chrome copycat with built-in blocklists and TBB features.

Because let's be honest, most "privacy advocates" on HN are trying to be purer than the other guy. Ideological purity is what they're after, not privacy.

Chrome also announced today a plan to get rid of third-party cookies: https://blog.chromium.org/2020/01/building-more-private-web-... And in fairness to them, Firefox and Safari's changes are very recent.

Anyway, Google is a big company. Different teams have different priorities. Does the US government care about privacy? Depends - at the very least - whether you're the NSA or the FTC. Given the many signs in the past that parts of Google are willing to fight other parts of Google they disagree with, I think a better strategy for us as the community is to call the Chrome team out, specifically, on things under their control and otherwise not be excessive cynical about the fact that they along a hundred thousand other people work for Google, and some of those other people are bad.

(Automatic login to Google is a think I think we should call them out for, to be clear.)

I agree that the Firefox change is recent, but not Safari. Safari has had 3rd party cookies disabled for many years now.

It’s pretty silly to claim that the (admittedly bad) privacy policies of Google, or even Chrome, as a whole means it “doesn’t make sense” for any team within Google to advance a pro-privacy or pro-WWW project.

This all-or-nothing mindset ends up harming privacy in practice.

Blink is Chromium's rendering engine. It's separate from Chrome the browser application vended by Google.

Google is not protecting its users privacy, it is protecting their own business. They want everyone's ads to be worse than Google's, so you use Google. Hiding private data from everyone but themselves is part of the plan.

Exactly. That is also why "logging in to Chrome" or rather Google is such an insidious misfeature. Soon they will be the only ones with cross-site tracking and third-party-cookie equvalents in the leading browser.

That would be check mate for all other advertisers.

I'm just not sure whether it's good or bad that antitrust regulators won't notice before it's too late.

I think that you're right. Regardless, these moves (as weak as they are so far) are beneficial for privacy in general.

I'll take that benefit even if it tilts the advertising table in favor of Google. I don't care even a little about the overall health of the advertising/marketing industry.

From my experience, I always needed to explicitly change Firefox setting to disable 3rd party cookies on a fresh install.

I don’t know if google redirecting their logins through YouTube and gmail are as bad as you make it out to be.

- Chrome on mobile automatically shares your location with your default search engine i.e. Google

Holy fuck!

This is a backwards step, I get the user agent is revealing things it has no right to like os, but not all browsers are made equal I need to know what its capable of.

They are adding a property for this. A browser will expose a bunch of 'I Support this' flags and client hints rather than a browser version.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact