This README will serve as a reference for the Chromium implementation of HTTP Client Hints, the HTML and Fetch integrations, and the Critical-CH response header as defined in the Client Hints Reliability draft.
The code can be found in the following directories:
HTTP Client Hints are request headers that can be optionally sent to origins that signal they want extra information via a response header (Accept-CH
). When an origin sends an Accept-CH
header with a (comma separated) list of client hint headers it would like to receive (on a secure top-level navigation request) those preferences are stored by the browser. Every subsequent request to an origin will contain those extra client hint request headers, as described in the HTTP Client Hints specification. This cache is cleared when session cookies are cleared, or when a user clears site data or cookies for a given origin.
Every document created with that origin contains those preferences as a “client hint set” and uses that set alongside other settings to decide what client hints to delegate to sub-resource requests associated with that document.
When requests are initiated from a document, the client hints are filtered through Permission Policies, which allows origins to control what features are used by what 3rd parties in a document. By default, the feature policies for client hints (except Sec-CH-UA
and Sec-CH-UA-Mobile
) are set to “self,” which means that hints are only delegated to the same origin as the (top-level) document. The permission can also be a list of origins or an asterisk *
for all origins (Sec-CH-UA
and Sec-CH-UA-Mobile
are considered “low-entropy” and safe to send to all origins, thus their defaults are *
). Permissions can also be set in HTML for iframes in the same format through the allow
attribute.
Note: All client hints (top-level and subresource) are gated on JavaScript being enabled in Chrome. While not explicitly stated, it fits into the requirement to only reveal information visible through JavaScript interfaces.
There are two situations where a request could have hints that are different from what the origin wanted:
As HTTP Client Hints are defined, there’s no way to know which is the case. Two mechanisms were defined in the Client Hints Reliability proposal:
Currently only the former, the Critical-CH retry mechanism, is implemented.
The Critical-CH
response header is a signal from the origin that the hints listed are important to have on the very first request (i.e. make a meaningful change to the request). The algorithm is fairly straightforward:
Accept-CH
header (including user preferences and local policy)Critical-CH
list that were not sent but would have been:Client Hint preferences are stored in the preferences service as a content setting (ContentSettingsType::CLIENT_HINTS
), keyed to the origin. This storage is accessed through the content::ClientHintsControllerDelegate interface, with the principle implementation being client_hints::ClientHints in //components (to share across multiple platforms). The delegate is accessible in the browser process as a property of the content::BrowserContext (in //chrome land, this is implemented as the Profile and “Off The Record” Profile. An important note is that there is an “incognito profile” that gets its own client hints storage).
This storage is marked as content_settings::SessionModel::UserSession
. This means that when settings are read in from disk (on browser start up) there’s also a check for a flag that’s set on graceful shutdown. (This is to exclude crashes and browser updates). If that flag is set, the settings are cleared. Practically, this means that the settings are cleared after closing the browser.
The code for reading from and writing to the client hint preferences in content is in /content/browser/client_hints/client_hints.cc
The preferences are read on the construction of a ClientHintsExtendedData
object, which then will use the FrameTreeNode
(which is where the object gets first party origin and permission policy information) and client hints preferences to calculate what hints should be sent for a given request.
The preferences are written in ParseAndPersistAcceptCHForNavigation
, which is also where various settings (secure context, JS permissions, feature flags set) are checked before sending the information to the controller delegate.
The client hints set is passed into the document on commit from NavigationRequest::CommitNavigation to the document and is used in FrameFetchContext::AddClientHintsIfNecessary, where all of the relevant client hint information gets filled into the headers to be sent.
The Critical-CH retry mechanism is implemented as content::CriticalClientHintsThrottle and all of the important logic is in WillProcessResponse
. When a retry situation is found (and the redirected_
flag isn’t set) the header is stored, the new hints are added to the request, and the request is “restarted” (i.e. the request is aborted and a new one is started).
There’s two main steps to adding a hint to Chromium: adding the token, and populating the value when appropriate
The canonical enum for client hint tokens is network::mojom::WebClientHintsType. Any new token should be added to the end of that list. Along with that:
kClientHintsNameMapping
in /services/network/public/cpp/client_hints.cc.kClientHintsHeaderMapping
in /third_party/blink/common/client_hints/client_hints.cc and update its test.WebFeature
in /third_party/blink/public/mojom/web_feature/web_feature.mojom.kWebFeatureMapping
in /third_party/blink/renderer/core/loader/frame_client_hints_preferences_context.cc.Accept-CH
header in the appropriate test files in /chrome/test/data/client_hints/ and /third_party/blink/web_tests/external/wpt/client-hints.expected_client_hints_number
to the current value + 1 in /chrome/browser/client_hints/client_hints_browsertest.cc.NOTE: It’s very important that the order of these arrays remain in sync.
There should also be a new feature policy created:
kClientHintsPermissionsPolicyMapping
in /third_party/blink/common/client_hints/client_hints.cc.PermissionsPolicyFeature
enum in /third_party/blink/public/devtools_protocol/browser_protocol.pdl, /third_party/devtools-frontend/src/third_party/blink/public/devtools_protocol/browser_protocol.pdl, and /third_party/devtools-frontend/src/third_party/blink/public/devtools_protocol/browser_protocol.json.The header should also be added to the cors safe_names
list in /services/network/public/cpp/cors/cors.cc and update its test.
TODO(crbug.com/1176808): There should be UseCounters measuring usage, but there are not currently.
Client Hints are populated in BaseFetchContext::AddClientHintsIfNecessary. If you need frame-based information, this should be added to ClientHintsImageInfo, which is populated in FrameFetchContext::AddClientHintsIfNecessary