Unveiling the Impact of User-Agent Reduction and Client Hints:
A Measurement Study


To appear at WPES'23


This study examines recent changes in browser behavior related to user-agent string. Browsers including Chrome have reduced the identifying information in user-agent strings to enhance user privacy. However, Chrome has also introduced high-entropy user-agent client hints (UA-CH) and new JavaScript API to provide access to specific browser details. The study assesses the impact of these changes on the top 100,000 websites by using an instrumented crawler to measure access to high-entropy browser features via UA-CH HTTP headers and the JavaScript API. It also investigates whether tracking, advertising, and browser fingerprinting scripts have started using these new client hints and the JavaScript API.

Paper » Source code »

📈 Highlights

  • High-entropy UA-CHs are accessed by one or more scripts on 59.2% of the sites via the getHighEntropyValues method. The 93.8% of these calls were made by tracking and advertising-related scripts — primarily by those owned by Google.
  • On 91.6% of the sites where high-entropy client hints are accessed via the JavaScript API, the high-entropy hints are exfiltrated by a tracker script to a remote server.
  • The use of UA-CH HTTP headers is very limited both for opt-in by first parties (1.3% of the sites), and delegation to 3rd parties (0.4% of the sites).
  • Overall, the UA reduction efforts seems to have reduced the risk of passive fingerprinting, but tracking scripts continue to enjoy their ungated & unfettered access on Chromium-based browsers.

🔍 What is UA string and why is it important?

    The UA HTTP header, introduced in 1992 for statistical purposes and the tracing of protocol violations, initially contained one or more tokens of software name and versions such as LII-Cello/1.0 libwww/2.5. Today, it provides extensive browser, device, and platform details, used for analytics, debugging, and compatibility checks. However, it can also enable covert cross-site tracking through browser fingerprinting when combined with device data like screen size and fonts. Passive fingerprinting extracts data from network packets without client-side code, including user-agent, IP address, Accept headers, clock skew, and protocol quirks. This allows third-party trackers to link user web visits without running client-side code, evading detection.

🔄 What changed and how?

    Google's UA Reduction initiative contains three key components:
  • Reducing the detail of the UA string and freezing specific elements. For instance, in Chrome 101 (June 2022), minor version numbers were replaced with zeros, making a UA string like Chrome/101.3.2.1 become Chrome/101.0.0.0. Furthermore, CPU and platform-related details were simplified for desktop browsers in Chrome 107 (February 2023), and the Android version number was replaced with a fixed "10" in May 2023.
  • Implementing user-agent client hint (UA-CH) HTTP headers, which offer a structured alternative to the UA string. These headers were enabled by default in Chrome 89, released in March 2021.
  • Introducing a new JavaScript interface known as NavigatorUAData, containing properties and methods for scripted access to UA-CHs. This was introduced in Chrome 90, released in April 2021.

Access to User-Agent Client Hints via HTTP

Chrome automatically adds three low-entropy client hints (platform name, major browser version, and mobileness) to secure (HTTPS) HTTP requests. High-entropy client hints require explicit opt-in for first or third-party use. Top-level origins can request high-entropy UA-CH headers by sending the Accept-CH response header as shown in Fig.1, and the browser sends these additional CH headers in subsequent requests to the first-party domains. To ensure high-entropy UA hints are available on the first navigational request, servers can use the Critical-CH response header as shwon in Fig.2. When clients receive this header, they must verify if high-entropy hints were sent in the original request. If not, the client will resend the request with the required hints.
Fig.1 - The Accept-CH response header mechanism used by servers to request high-entropy user-agent client hints from clients. After receiving an Accept-CH header during a secure top-level navigation request, the browser appends the requested client hint headers in subsequent requests. The image is adapted from Google’s documentation.
Fig.2 - Requesting high-entropy CHs initially using Critical-CH header: When the server asks for a Critical-CH, the client will retry the initial webpage request with it. The image is adapted from Google’s documentation.

Access to User-Agent Client Hints via the JavaScript API

Previously, UA information was accessible to scripts via properties like userAgent, appVersion, and platform in the navigator object. However, as part of UA reduction efforts, the data exposed through these properties was reduced. To offer an alternative way for scripts to access high-entropy browser features, Chrome introduced a JavaScript API for user-agent client hints. This API includes an interface named NavigatorUAData, which provides low-entropy UA values, and an asynchronous method called navigator.userAgentData. getHighEntropyValues, offering high-entropy UA values. 
                                    
// Log the full user-agent data
navigator
  .userAgentData.getHighEntropyValues(
    ["architecture", "model", "bitness", "platformVersion",
     "fullVersionList"])
  .then(ua => { console.log(ua) });

// output
{
   "architecture":"x86",
   "bitness":"64",
   "brands":[
      {
         "brand":" Not A;Brand",
         "version":"99"
      },
      {
         "brand":"Chromium",
         "version":"98"
      },
      {
         "brand":"Google Chrome",
         "version":"98"
      }
   ],
   "fullVersionList":[
      {
         "brand":" Not A;Brand",
         "version":"99.0.0.0"
      },
      {
         "brand":"Chromium",
         "version":"98.0.4738.0"
      },
      {
         "brand":"Google Chrome",
         "version":"98.0.4738.0"
      }
   ],
   "mobile":false,
   "model":"",
   "platformVersion":"12.0.1"
}

Delegating hints to third-parties

By default, third-party subresource requests do not include UA-CHs, and third parties cannot request high-entropy UA-CHs independently. Instead, the first-party server must send a Permissions Policy header specifying the origins permitted to receive the UA-CHs. Figure 3 provides examples of implementing the Permissions Policy. For example, if example.com wants to provide the full browser version to a resource from sample-cdn.com, it can request the Sec-CH-UA-Full-Version hint for https://example.com. However, it must explicitly delegate this hint to https://www.sample-cdn.com using the Permissions-Policy response header, as shown in Step 3 in Figure 3. Subsequent requests to subresources on sample-cdn.com will include the delegated hint, such as Sec-CH-UA-Full-Version: "113.0.5672.63." To delegate CHs to cross-origin iframes, you need to specify the CHs both in the iframe's allow attribute and in the Permissions Policy response header. Figure 3 provides a visual representation of this process in step d. When an iframe, sourced from https://sample-cdn.com, includes the allow attribute, it becomes eligible to receive the Sec-CH-UA-Full-Version CH header. However, as shown in step e of Figure 3, the absence of the allow attribute will result in the exclusion of this high-entropy CH. Sample c in Figure 3 illustrates a same-site, cross-origin frame (subdomain.example.com). Despite having an iframe allow attribute for UA-CHs, the high-entropy hint will not be sent when loading this iframe, because it is not included in the origin list.
Fig.3 - Delegating client hints to Third-Party Origins by Permissions-Policy. The image is based on a figure in Google’s documentation.

User-Agent Client Hint opt-in and delegation via HTML

For publishers unable to modify their website's Permissions Policy HTTP header, there are HTML-based options to enable or delegate high-entropy client hints. Using the HTML <meta> element, publishers can opt-in for high-entropy CHs for first-party requests. This involves using the http-equiv="Accept-CH" attribute along with the content attribute, which specifies the hints to be delegated and their recipient origins. Similarly, the http-equiv attribute of the <meta> element allows explicit delegation of high-entropy CHs to third-party domains. To achieve this, the http-equiv="delegate-ch" attribute is used, along with the content attribute, which designates the hints to be delegated and the corresponding recipient origins.

🏁 Findings

getHighEntropyValues calls and exfiltrations

We observed that the getHighEntropyValues method was called by one or more third-party scripts on 52,392 unique sites, representing 58.4% of the visited sites. Following table provides details on the prevalence of these API calls on the analyzed websites. We found that almost all calls (98.6%) are due to third-party and tracking-related scripts.
All Third party Tracking related
getHighEntropyValues calls 53,148 52,392 51,630
Hi-ent. UA-CH exfiltrations 48,355 47,691 47,285

Most common categories of third-party scripts that call getHighEntropyValues method

The right-hand column shows the number of distinct websites where we detected at least one call to getHighEntropyValues from the respective category.
Script Category Num. Sites
Ad Motivated Tracking 44,084
Advertising 43,976
Audience Measurement 40,901
Third-Party Analytics Marketing 40,491
Analytics 40,347
Action Pixels 13,224
Embedded Content 4,523
CDN 4,342
Social - Share 2,338
Ad Fraud 1,339

Top tracker domains that call getHighEntropyValues and exfiltrate high-entropy values

We found that five scripts that retrieve high-entropy hints on most sites come from Google, and most of them are advertising-related. Specifically, googletagmanager.com, googlesyndication.com, and doubleclick.net emerged as the prominent tracker domains among the identified third-party domains as shown in the following table.
High Entropy API calls High Entropy API exfiltrations
Tracker domain Num. Sites Tracker domain Num. Sites
googletagmanager.com 28,929 google-analytics.com 22,517
googlesyndication.com 6,843 google.com 9,325
doubleclick.net 3,633 doubleclick.net 8,853
googletagservices.com 1,414 googlesyndication.com 2,018
googleadservices.com 673 crwdcntrl.net 985
quantserve.com 437 sharethis.com 531
taboola.com 330 gemius.pl 356
clarity.ms 192 taboola.com 315
statcounter.com 161 id5-sync.com 253
wpadmngr.com 152 tynt.com 202

getHighEntropyValues arguments sorted by the number of distinct sites they were observed on

Analyzing function call arguments, we found that the most frequently requested UA client hints via the JavaScript API are model and platformVersion as shown in the following table. Notably, a third-party mistakenly calls getHighEntropyValues with an mistyped argument, uaFulVersion, on seven distinct sites. Additionally, on 174 sites the method is called with the argument None by scripts served from the ampproject.org domain. In this case, Chrome only returns low-entropy hints.
UA Client Hint Num. Num.
Sites		 Num. of Script
Domains
model 52,270 970
platformVersion 52,214 1,052
platform 51,529 746
fullVersionList 51,321 792
architecture 51,229 618
bitness 50,874 554
uaFullVersion(deprecated) 50,743 359
wow64 50,132 80
mobile 7,615 283
brands 5,208 462
None 174 1
uaFulVersion 7 1

The number of distinct sites where CH headers were observed on requests


Ent UA-CH Header All Third Party Tracking Related
high Sec-CH-UA-Platform-Version 886 331 134
Sec-CH-UA-Model 886 329 132
Sec-CH-UA-Full-Version-List 696 261 67
Sec-CH-UA-Arch 667 257 63
Sec-CH-UA-Full-Version 581 217 25
Sec-CH-UA-Bitness 491 217 25
Sec-CH-UA-Wow64 401 210 21
low Sec-CH-UA 89,141 78,476 67,560
Sec-CH-UA-Mobile 89,141 78,476 67,560
Sec-CH-UA-Platform 89,141 78,478 67,560

The number of distinct sites where UA-CHs were opted-in via the Accept-CH header


Ent UA-CH Header Num. Sites
high Sec-CH-UA-Model 1,046
Sec-CH-UA-Platform-Version 870
Sec-CH-UA-Full-Version-List 824
Sec-CH-UA-Arch 799
Sec-CH-UA-Full-Version 538
Sec-CH-UA-Bitness 443
Sec-CH-UA-Wow64 354
low Sec-CH-UA-Platform 818
Sec-CH-UA 434
Sec-CH-UA-Mobile 403

The number of distinct sites delegating high-entropy UA-CHs via the Permissions Policy header

Most websites use ’*’ instead of specific origins to delegate to all possible origins. These cases are indicated in the ’Allow All’ column.
Ent UA-CH Header Allow All(*) Total
high ch-ua-platform-version 312 338
ch-ua-model 310 337
ch-ua-full-version-list 259 266
ch-ua-arch 261 266
ch-ua-bitness 221 225
ch-ua-full-version 225 225
ch-ua-wow64 218 222
low ch-ua-platform 218 225
ch-ua 4 6
ch-ua-mobile 4 6

Reduction in high-entropy User-Agent exposure

We compared the domains with access to high-entropy UA-CHs through the getHighEntropyValues method and those actually using this privilege. Figure 4 indicates that out of the 41,229 distinct third-party domains encountered, 25,052 (61%) serve active content categorized as "script" or "document". These domains could start collecting high-entropy UA-CHs by simply adding a call to the getHighEntropyValues method. This action could potentially triple the number of domains accessing high-entropy UA-CHs, which currently stands at 9,095 (22%) distinct third-party domains.
Fig.4 - Comparing distinct 3rd-party domains that can run scripts and thus can access high-entropy UA-CHs and those that accessed high-entropy UA-CHs via the JavaScript API.

📁 Data and Code

The source code for the crawler, analysis scripts, and the data can be found in the following repositories: