Consider adding major platform version to low entropy set
bob-tee opened this issue · 4 comments
The Client Hints in the low entropy set includes the platform but not the platform version.
It would be really useful if the Sec-CH-UA-Platform-Version Client Hint could be treated the same as the browser version and include the major platform version as part of the low entropy hints and the full version as part of the high entropy hints.
This would not increase the fingerprinting surface much given that the major browser version is already present but would make things clearer and easier for applications consuming Client Hints as the data received would be progressive depending on first/second request and user permission to send the full version.
Sure, but many small increases in entropy equal a large increase in entropy - Sec-CH-UA-Platform wasn't originally a low-entropy hint either.
I understand that point of view but there are many use-cases where knowing even the major platfrom version up front is beneficial. It also makes the Client Hint approach more consistent and understandable for users trying to use it. It does of course add to the overall entropy but, IMHO, providing the major platform version and not the full version is a good tradeoff.
This would not increase the fingerprinting surface much given that the major browser version is already present...
Can you quantify "much"? There isn't a 1:1 correlation between major browser version and major platform version.
Browser versions are available across many major and minor versions of an OS, and the majority of users will be on the latest version of an OS. But that leaves the minority of older OS versions more unique in terms of fingerprinting, e.g.:
https://gs.statcounter.com/os-version-market-share/windows/desktop/worldwide
https://gs.statcounter.com/os-version-market-share/macos/desktop/worldwide
but would make things clearer and easier for applications consuming Client Hints as the data received would be progressive depending on first/second request and user permission to send the full version.
Could you clarify here? I'm not sure I follow.