Client Hints is an extension to the

HTTP HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...

protocol that allows servers to ask the client (usually a

web browser A web browser, often shortened to browser, is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's scr ...

) for information about its configuration. This helps the server tailor its responses to the client; for example, a server can choose to send a smaller image if a client advertises that they have a very small screen. The client can choose to respond to this request by advertising the requested information about itself by sending the data using a specific part of the HTTP protocol called HTTP header fields or by exposing the same information to the

JavaScript JavaScript (), often abbreviated as JS, is a programming language and core technology of the World Wide Web, alongside HTML and CSS. Ninety-nine percent of websites use JavaScript on the client side for webpage behavior. Web browsers have ...

code being executed on a web page. Proposed by

Google Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...

engineers in 2013, Client Hints was designed as a

privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of a ...

-focused alternative to user-agent headers. This was done as part of an initiative by Google called Privacy Sandbox. User-agent headers are code snippets sent by a client to identify itself to a server. While initially intended for statistical purposes, these headers had increasingly become a tool for tracking users across websites. Client Hints aimed to address this issue by providing a more controlled way to share the same information. Despite the focus on privacy, the initial design of Client Hints faced criticism from other browsers. One of the primary concerns that was brought up was that the protocol could enable new forms of

tracking Tracking may refer to: Science and technology Computing * Tracking, in computer graphics, in match moving (insertion of graphics into footage) * Tracking, composing music with music tracker software * Eye tracking, measuring the position of ...

by third-party domains. Third-party domains are web servers not owned by the website that load resources like images and script files. Despite these concerns, Chrome implemented support for Client Hints in August 2020. By 2024, over 75% of web users had browsers that supported Client Hints. Privacy researchers have since raised concerns that Client Hints is primarily being used by JavaScript code which tracks users. In 2023, a study from

KU Leuven KU Leuven (Katholieke Universiteit Leuven) is a Catholic research university in the city of Leuven, Leuven, Belgium. Founded in 1425, it is the oldest university in Belgium and the oldest university in the Low Countries. In addition to its mai ...

and

Radboud University Radboud University (abbreviated as RU, , formerly ) is a public research university located in Nijmegen, Netherlands. RU has seven faculties and more than 24,000 students. Established in 1923, Radboud University has consistently been included in ...

found that when examining the top 100,000 websites on the internet, most accesses of Client Hints came from JavaScript code used for tracking and

advertising Advertising is the practice and techniques employed to bring attention to a Product (business), product or Service (economics), service. Advertising aims to present a product or service in terms of utility, advantages, and qualities of int ...

purposes.

Background

In 1992, an extension to the

protocol was introduced adding a User-Agent

HTTP Header HTTP header fields are a list of strings sent and received by both the client program and server on every HTTP request and response. These headers are usually invisible to the end-user and are only processed or logged by the server and client ...

which was sent from the client to the server and contained a simple string identifying the name of the client and its version. The header was meant purely for statistical purposes and for tracking down clients that violated the protocol. Since then, User-Agent headers have become increasingly more complex, and has started containing significant uniquely identifiable information about the user. Often, this information is used to perform browser fingerprinting, allowing sites to track users across sites passively without having to load any

for the user.

History

The original draft for the Client Hint specification was proposed in 2013 by engineers at

. The specifications became an

Internet Engineering Task Force The Internet Engineering Task Force (IETF) is a standards organization for the Internet standard, Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster ...

(IETF) draft in November 2015. In 2021, the specification was upgraded to the status of an experimental request for comment (RFC). This designation indicated that the IETF had accepted the Client Hints specification as an

internet standard In computer network engineering, an Internet Standard is a normative specification of a technology or methodology applicable to the Internet. Internet Standards are created and published by the Internet Engineering Task Force (IETF). They allow ...

, but it either still had unresolved questions or had not yet gained widespread adoption in the internet. Around the same time, the specifications for how web browser would be handling HTTP Client Hints on the web was published as a draft in a

W3C The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working together in ...

Community Group Report. In 2020, Google announced their intention to deprecate

user-agent In computing, the User-Agent header is an HTTP header intended to identify the user agent responsible for making a given HTTP request. Whereas the character sequence User-Agent comprises the name of the header itself, the header value that a giv ...

(UA) declaration by the browser. This deprecation was part of a broader initiative by Google to make changes to the web that allow

website A website (also written as a web site) is any web page whose content is identified by a common domain name and is published on at least one web server. Websites are typically dedicated to a particular topic or purpose, such as news, educatio ...

s to access user information without compromising

called Privacy Sandbox. They cited Client Hints as a privacy-preserving alternative to user-agent headers since they allowed for a more controlled way of sharing the same information. The initial Client Hints proposal, however, was met with pushback from other

browsers Browse, browser, or browsing may refer to: Computing *Browser service, a feature of Microsoft Windows to browse shared network resources *Code browser, a program for navigating source code *File browser or file manager, a program used to manage f ...

due to privacy concerns. In 2019, Brave raised concerns about the initial proposal, citing ways in which it could be used to track users on the internet.

Mozilla Mozilla is a free software community founded in 1998 by members of Netscape. The Mozilla community uses, develops, publishes and supports Mozilla products, thereby promoting free software and open standards. The community is supported institution ...

, the company that makes

Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements curr ...

, initially classified the proposal as harmful, and

Apple An apple is a round, edible fruit produced by an apple tree (''Malus'' spp.). Fruit trees of the orchard or domestic apple (''Malus domestica''), the most widely grown in the genus, are agriculture, cultivated worldwide. The tree originated ...

, the company that makes

Safari A safari (; originally ) is an overland journey to observe wildlife, wild animals, especially in East Africa. The so-called big five game, "Big Five" game animals of Africa – lion, African leopard, leopard, rhinoceros, African elephant, elep ...

also took a negative stance against the proposal. Despite these concerns, Chrome implemented support for HTTP Client Hints in August 2020. While the deprecation of the UA strings was delayed due to the

COVID-19 pandemic The COVID-19 pandemic (also known as the coronavirus pandemic and COVID pandemic), caused by severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2), began with an disease outbreak, outbreak of COVID-19 in Wuhan, China, in December ...

, this process was completed in February 2023. Since their initial opposition, Mozilla has updated their stance to neutral and Brave has synchronized its implementation of Client Hints with that of Chrome. As of 2024, over 75% of all web users use browsers that support Client Hints.

Mechanism

The Client Hints protocol defines two entities: a

user agent On the Web, a user agent is a software agent responsible for retrieving and facilitating end-user interaction with Web content. This includes all web browsers, such as Google Chrome and Safari A safari (; originally ) is an overland jour ...

(UA) (typically a browser) and a

server Server may refer to: Computing *Server (computing), a computer program or a device that provides requested information for other programs or devices, called clients. Role * Waiting staff, those who work at a restaurant or a bar attending custome ...

. These two entities communicate with each other to negotiate what kind of content should be served to the user. The process involves the server sending the UA a response with an Accept-CH

, containing a list of Client Hint HTTP headers that it requires. Subsequently, the UA is expected to return the requested client hints with each subsequent response, provided it supports those hints. These headers are then used by the server to make decisions on what kind of content to serve the UA. If the UA does not understand or support a particular client hint then the UA is instructed to ignore the particular client hint. In cases where a specific Client Hint cannot be cached, the server must specify the applicable client hints headers in a separate Vary header sent to the UA. This ensures that caching mechanisms understand that responses can vary based on different client hint values. For client hints that specifically identify a browser, additional random browser identifiers are included as grease in order to prevent users of the protocol from relying on browser specific idiosyncratic behaviours. For UAs that allow

, an additional option is available through the navigator.userAgentData JavaScript

API An application programming interface (API) is a connection between computers or between computer programs. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build ...

. This API enables JavaScript to retrieve the same information as provided by the Client Hints headers. The API separates the data it provides into two types: low-

entropy Entropy is a scientific concept, most commonly associated with states of disorder, randomness, or uncertainty. The term and the concept are used in diverse fields, from classical thermodynamics, where it was first recognized, to the micros ...

data and high-entropy data. Low-entropy data corresponds to information that is likely to be similar across a large group of users, such as the platform on which the browser is running and the brand of the browser. In contrast, high-entropy data may vary significantly between users, including details like the exact version number of the browser and the model of the user's device. Low entropy data is included in the API as object parameters whereas high entropy data which can uniquely identify the user needs to be explicitly fetched by the client by calling the getHighEntropyValues() function in the API which allows the browser to ask for user permission or to perform additional checks.

Example

To initiate a

content negotiation In computing, content negotiation refers to mechanisms defined as a part of HTTP that make it possible to serve different versions of a document (or more generally, representations of a resource) at the same URI, so that user agents can specify w ...

, a HTTP server appends the Accept-CH header to the response of a HTTP request: HTTP/1.1 200 OK ... Accept-CH: Viewport-Width ... If the user-agent supports the viewport width client hint, the user-agent will append the Viewport-Width header in every subsequent request. GET /gallery HTTP/1.1 ... Viewport-Width: 1920 ... The server can then use the information in the Viewport-Width header to make a decision about the kind of content to serve the client. For example, if the server has a particular image that is extremely large, the server can be configured to return a smaller image if the image does not fit the

viewport A viewport is a polygon viewing region in computer graphics. In computer graphics theory, there are two region-like notions of relevance when rendering some objects to an image. In textbook terminology, the ''world coordinate window'' is the area ...

Privacy concerns

When the Client Hints proposal was originally published, it was met with significant privacy concerns. Browser vendors like Brave and

pointed out that a particular provision in the initial draft of the proposal allowed websites to instruct the browser to provide Client Hint data to third-party domains. Third-party domains are domains that do not execute any JavaScript code, but rather load resources like images and script files. The provision in the initial draft would allow these third-party domains like

content delivery network A content delivery network (CDN) or content distribution network is a geographically distributed network of proxy servers and their data centers. The goal is to provide high availability and performance ("speed") by distributing the service spat ...

s (CDNs) and

cloud service provider Cloud computing is "a paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand," according to ISO. Essential characteristics ...

s. CDNs distribute website content across a network of geographically dispersed group of servers to improve the speed and reliability of the website. Cloud providers like

Cloudflare Cloudflare, Inc., is an American company that provides content delivery network services, cybersecurity, DDoS mitigation, wide area network services, reverse proxies, Domain Name Service, ICANN-accredited domain registration, and other se ...

and Google Cloud offer services like data storage, computing power, and infrastructure for websites and applications. These entities could track users across the web by instructing the browser to send Client Hint information to their servers alongside the original website. Concerns were also raised that the Client-Hint proposal was too permissive and explicitly allowed for new privacy compromising information that could not be obtained by simply reading

HTTP Headers HTTP header fields are a list of strings sent and received by both the client program and server on every HTTP request and response. These headers are usually invisible to the end-user and are only processed or logged by the server and client ...

to be leaked to servers. Additionally, extensions that aim to preserve a user's privacy like the NoScript extension also opposed the proposal on the grounds that it would make it significantly harder to prevent sites from exfiltrating privacy-compromising information about users. Since the adoption of Client Hints by major browsers like

Google Chrome Google Chrome is a web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, iPadOS, an ...

and

Microsoft Edge Microsoft Edge is a Proprietary Software, proprietary cross-platform software, cross-platform web browser created by Microsoft and based on the Chromium (web browser), Chromium open-source project, superseding Edge Legacy. In Windows 11, Edge ...

, privacy researchers have raised concerns over their real-world use for tracking. A 2023 study by researchers from

and

found that out of the top 100,000 websites, 60% of JavaScript files loaded by web pages accessed the Client Hints

APIs, with most being tracking and

scripts, many of which came from

. Over 90% of these script files exfiltrated the obtained data to tracking domains. A subsequent study in May 2024 by researchers from the Hochschule Bonn-Rhein-Sieg University of Applied Sciences noted that while overall adoption of Client Hints amongst websites on the internet was low, a significant number of third-party domains known for tracking accessed HTTP Client Hints data.

References

Citations

Sources

* * * * * * * {{refend

External links

User-Agent Client Hints – Draft Community Group Report, 9 February 2021
Hypertext Transfer Protocol headers Internet privacy