This README will serve as a reference for the Chromium implementation of HTTP Client Hints, the HTML and Fetch integrations, and the Critical-CH response header as defined in the Client Hints Reliability draft.
The code can be found in the following directories:
Client hints are information about the client that is supplied to origins that signal they want the extra information. Historically, this information was in headers such as User-Agent
, Rtt
, or Device-Memory
and was sent with every request. Client hints contain more precise information than the User-Agent
header, but require that the origin opt-in to receive that information.
Client hints are sent to the origin as request headers. UA client hints are also available (in secure contexts) via the navigator.userAgentData
property.
There are several types of client hints, which are handled differently:
All UA client hints are distinguished by a Sec-CH-UA
header prefix. UA hints are available via the JS navigator.userAgentData
API, while other types are not. UA hints are further divided into low- and high-entropy hints. Hints that do not contain enough information to fingerprint a user are considered low-entropy, while the remainder are high-entropy.
Some device client hints are specific to the type of resource being requested. For example, Sec-CH-Resource-Width
is sent only for image fetches.
Except for Save-Data
, network client hints are currently being deprecated.
Some device and user-preference client hints are not sent for fetches in detached frames.
Client hint headers are requested via a response header (Accept-CH
). When an origin sends an Accept-CH
header with a (comma separated) list of client hint headers it would like to receive (on a secure, top-level navigation request) those preferences are stored by the browser. Every subsequent request to an origin will contain those extra client hint request headers, as described in the HTTP Client Hints specification. This cache is cleared when session cookies are cleared, or when a user clears site data or cookies for a given origin.
The response header can also be included in the response HTML using a meta
element. Note that this only works when the element appears in the downloaded HTML. Adding the element from a script does not work.
Every document created with that origin contains those preferences as a “client hint set” and uses that set alongside other settings to decide what client hints to delegate to sub-resource requests associated with that document.
When requests are initiated from a document, the client hints are filtered through Permission Policies, which allows origins to control what features are used by what 3rd parties in a document. By default, the feature policies for client hints (except Sec-CH-UA
and Sec-CH-UA-Mobile
) are set to “self,” which means that hints are only delegated to the same origin as the (top-level) document. The permission can also be a list of origins or an asterisk *
for all origins (Sec-CH-UA
and Sec-CH-UA-Mobile
are considered low-entropy and safe to send to all origins, thus their defaults are *
). Permissions can also be set in HTML for iframes in the same format through the allow
attribute.
Note: All client hints (top-level and subresource) are gated on JavaScript being enabled in Chrome. While not explicitly stated, it fits into the requirement to only reveal information visible through JavaScript interfaces.
There are two situations where a request could have hints that are different from what the origin wanted:
As HTTP Client Hints are defined, there’s no way to know which is the case. Two mechanisms were defined in the Client Hints Reliability proposal:
An explainer for both can be found here
The Critical-CH
response header is a signal from the origin that the hints listed are important to have on the very first request (i.e. make a meaningful change to the request). The algorithm is fairly straightforward:
Accept-CH
header (including user preferences and local policy)Critical-CH
list that were not sent but would have been:The ALPS (“Application-Layer Protocol Settings”) TLS extension allows applications to add application-layer protocol settings to the TLS handshake, notably before the “first” round trip of the application protocol itself.
For the purposes of Client-Hints, this means that an “ACCEPT_CH” HTTP2/3 frame can be added to the handshake, which sets a connection-level addition to the “Accept-CH” cache, meaning the browser can see these settings and reach appropriately before sending the request to a server.
The full explanation is outside of the scope of this document and can be found in the reliability explainer linked above.
All client hint headers should be forbidden request-headers, by virtue of the prefix Sec-
. Historically, some were not forbidden and most of these have been replaced with new headers using this prefix. Within Chromium, these are distinguished with a _DEPRECATED
suffix, e.g., WebClientHintsType::kDeviceMemory_DEPRECATED
. The exception to this rule is the Save-Data
header, which will not be replaced with Sec-CH-Save-Data
.
The “new” naming adds CH
to distinguish client hints from other forbidden request-headers, giving the combined prefix Sec-CH
.
In terms of the implementation, the web sees client hints in three ways: in headers on navigation-related fetches, in headers for subresource fetches, and via the navigator.userAgentData
property.
The first of these occurs in the browser process. Hint data for client-hint types other than UA are fetched from appropriate APIs, such as NetworkQualityTracker
or display::Screen
. Data for UA client hints are gathered in a UserAgentMetadata
type, which is acquired from the embedder via the ClientHintControllerDelegate
.
Subresource fetches and JS access occur in the renderer. The renderer gets UA client hint data from the browser via RenderThreadImpl::InitializeRenderer
and stores it for the lifetime of the renderer thread. The browser gets this data from the embedder via the ContentBrowserClient
delegate. Note that this is entirely independent of the ClientHintControllerDelegate
!
Programmatic access only exposes UA client hints. All other client hints are only revealed in client-hint headers, based on locally-observed information such as that from NetworkStateNotifier
or the frame's device pixel ratio.
Client Hint preferences are stored in the preferences service as a content setting (ContentSettingsType::CLIENT_HINTS
), keyed to the origin. This storage is accessed through the content::ClientHintsControllerDelegate interface, with the principle implementation being client_hints::ClientHints in //components (to share across multiple platforms). The delegate is accessible in the browser process as a property of the content::BrowserContext (in //chrome land, this is implemented as the Profile and “Off The Record” Profile. An important note is that there is an “incognito profile” that gets its own client hints storage).
This storage is marked as content_settings::mojom::SessionModel::DURABLE
. This means that the client hint settings are read in from disk on browser start up and loaded into memory. Practically, this means that the client hint settings persist until the user clears site data or cookies for the origin.
The code for reading from and writing to the client hint preferences in content is in /content/browser/client_hints/client_hints.cc
The preferences are read on the construction of a ClientHintsExtendedData
object, which then will use the FrameTreeNode
(which is where the object gets first party origin and permission policy information) and client hints preferences to calculate what hints should be sent for a given request.
The preferences are written in ParseAndPersistAcceptCHForNavigation
, which is also where various settings (secure context, JS permissions, feature flags set) are checked before sending the information to the controller delegate.
The client hints set is passed into the document on commit from NavigationRequest::CommitNavigation to the document and is used in FrameFetchContext::AddClientHintsIfNecessary, where all of the relevant client hint information gets filled into the headers to be sent.
The Critical-CH retry mechanism is implemented as content::CriticalClientHintsThrottle and all of the important logic is in WillProcessResponse
. When a retry situation is found (and the redirected_
flag isn’t set) the header is stored, the new hints are stored as normal and the request is “restarted” (i.e. the response is changed to an internal redirect to the same location, which is also what DevTools sees).
The ACCEPT_CH restart mechanism is implemented with the navigation stack. The mojo interface network::mojom::AcceptCHFrameObserver is implemented by content::NavigationURLLoaderImpl and the resulting pipe is passed to the URLLoaderFactory and so on through the network::ResourceRequest and related mojo interface.
On the network side, when a TLS socket is selected (either created or re-used from the socket pool) that contains an ACCEPT_CH ALPS frame, it's checked against the headers in the request in ComputeAcceptCHFrame, which removes any tokens from the ACCEPT_CH frame that are already present in the request as headers and checks if the result is empty.
If the result is not empty, it's passed through the AcceptCHFrameObserver mojo pipe (back to content::NavigationURLLoaderImpl) to the browser, and if new headers are added the and navigation is restarted.
Any storage related to an incognito mode profile is cleared when the last incognito tab is closed, including client hint preferences.
--initialize-client-hints-storage
Command Line SwitchA command line flag is available for testing to pre-populate the Accept-CH cache. It takes a json dictionary, where each key is an origin and each value is a string in the same format as the Accept-CH response header.
Each new profile will include these pre-populated preferences except for “Off The Record” profiles (e.g. guest profiles and incognito profiles).
Note: Don't forget to escape quotes if your shell needs it.
An example use might be:
out/default/chrome --initialize-client-hints-storage="{\"https://a.test\":\"Sec-CH-UA-Full-Version\", \"https://b.test\":\"Sec-CH-UA-Model\"}"
There are two main steps to adding a hint to Chromium: adding the token, and populating the value when appropriate. You will probably also want a feature to control use of the hint. Find an example of adding a new UA hint in https://crrev.com/c/4628277.
Add a new Blink feature, named ClientHints<HintName>
(without Sec-CH-UA
) to /third_party/blink/public/common/features.h and /third_party/blink/common/features.cc.
The canonical enum for client hint tokens is network::mojom::WebClientHintsType. Any new token should be added to the end of that list. Along with that:
MakeClientHintToNameMap
in /services/network/public/cpp/client_hints.cc.WebFeature
in /third_party/blink/public/mojom/use_counter/metrics/web_feature.mojom and run /tools/metrics/histograms/update_use_counter_feature_enum.py to update the enum in /tools/metrics/histograms/enums.xml.MakeClientHintToWebFeatureMap
in /third_party/blink/renderer/core/loader/frame_client_hints_preferences_context.cc.static_assert
for network::mojom::WebClientHintsType::kMaxValue
in /content/browser/client_hints/client_hints.cc, leaving a TODO for your implementation.MakeClientHintToPolicyFeatureMap
in [/services/network/public/cpp/permissions_policy/client_hints_permissions_policy_mapping.cc].third_party/blink/public/devtools_protocol/browser_protocol.pdl
third_party/blink/web_tests/virtual/stable/webexposed/feature-policy-features-expected.txt
third_party/blink/web_tests/webexposed/feature-policy-features-expected.txt
If gating the new hint on a feature:
VerifyClientHintsReceived
in /chrome/browser/client_hints/client_hints_browsertest.cc to skip your new header when the feature is not enabled.IsDisabledByFeature
in /third_party/blink/common/client_hints/enabled_client_hints.cc, based on your new feature.TODO(crbug.com/40168503): There should be UseCounters measuring usage, but there are not currently.
At this point, if the hint is gated on a feature, tests should pass when that feature is disabled. In particular, check that content_unittests
passes tests matching *Cors*
, and browser_tests
passes tests matching *ClientHints*
.
As described in “Client-Hint Data Sources” above, client hints are populated in several places:
blink::UserAgentMetadata
and determined in ClientHintsControllerDelegate
for navigation fetches and ContentBrowserClient
for programmatic access and subresource fetches.content::AddNavigationRequestClientHintsHeaders
and content::AddRequestClientHintsHeaders
.After updating these sites to populate the hint, update the various tests for this new header. This includes WPTs, Webview Java tests, and browsertests.
blink::UserAgentMetadata
also needs to extend the related Chrome Devtools Protocol API calls, namely setUserAgentOverride
. The backend implementation can be found in /third_party/blink/renderer/core/inspector/inspector_emulation_agent.h, and the UserAgentMetadata type in /third_party/blink/public/devtools_protocol/browser_protocol.pdl will also need to be extended.SetUserAgentOverride
in /third_party/blink/renderer/core/inspector/inspector_emulation_agent.cc, and /content/browser/devtools/protocol/emulation_handler.cc.Devtools frontend source code is in a different branch devtools/devtools-frontend.
UserAgentMetadata
in /third_party/devtools-frontend/src/third_party/blink/public/devtools_protocol/browser_protocol.pdl, /third_party/devtools-frontend/src/third_party/blink/public/devtools_protocol/browser_protocol.json, and /third_party/devtools-frontend/src/front_end/generated/protocol.d.ts.PermissionsPolicyFeature
enum in /third_party/devtools-frontend/src/third_party/blink/public/devtools_protocol/browser_protocol.pdl, and /third_party/devtools-frontend/src/third_party/blink/public/devtools_protocol/browser_protocol.json.