Client Hints

Third-party domains are web servers not owned by the website that load resources like images and script files.

Privacy researchers have since raised concerns that Client Hints is primarily being used by JavaScript code which tracked users.

In 2023, a study from KU Leuven and Radboud University found that when examining the top 100,000 websites on the internet, most accesses of Client Hints came from JavaScript code used for tracking and advertising purposes.

Since then, User-Agent headers have become increasingly more complex, and has started containing significant uniquely identifiable information about the user.

They cited Client Hints as a privacy-preserving alternative to user-agent headers since they allowed for a more controlled way of sharing the same information.

[8] Since their initial opposition, Mozilla has updated their stance to neutral[7] and Brave has synchronized its implementation of Client Hints with that of Chrome.

[2] The Client Hints protocol defines two entities: a user agent (UA) (typically a browser) and a server.

Low entropy data is included in the API as object parameters whereas high entropy data which can uniquely identify the user needs to be explicitly fetched by the client by calling the getHighEntropyValues() function in the API which allows the browser to ask for user permission or to perform additional checks.

[6] The provision in the initial draft would allow these third-party domains like content delivery networks (CDNs) and cloud service providers.

These entities could track users across the web by instructing the browser to send Client Hint information to their servers alongside the original website.

[6][14] Concerns were also raised that the Client-Hint proposal was too permissive and explicitly allowed for new privacy compromising information that could not be obtained by simply reading HTTP Headers to be leaked to servers.

[6] Since the adoption of Client Hints by major browsers like Google Chrome and Microsoft Edge, privacy researchers have raised concerns over their real-world use for tracking.

[16] A subsequent study in May 2024 by researchers from the Hochschule Bonn-Rhein-Sieg University of Applied Sciences noted that while overall adoption of Client Hints amongst websites on the internet was low, a significant number of third-party domains known for tracking accessed HTTP Client Hints data.