Publications
2024 Link to heading
A Privacy Measure Turned Upside Down? Investigating the Use of HTTP Client Hints on the Web
Stephan Wiefling, Marian Hönscheid and Luigi Lo Iacono | ARES ’24. ACM | PDF
Abstract
HTTP client hints are a set of standardized HTTP request headers designed to modernize and potentially replace the traditional user agent string. While the user agent string exposes a wide range of information about the client’s browser and device, client hints provide a controlled and structured approach for clients to selectively disclose their capabilities and preferences to servers. Essentially, client hints aim at more effective and privacy-friendly disclosure of browser or client properties than the user agent string. We present a first long-term study of the use of HTTP client hints in the wild. We found that despite being implemented in almost all web browsers, server-side usage of client hints remains generally low. However, in the context of third-party websites, which are often linked to trackers, the adoption rate is significantly higher. This is concerning because client hints allow the retrieval of more data from the client than the user agent string provides, and there are currently no mechanisms for users to detect or control this potential data leakage. Our work provides valuable insights for web users, browser vendors, and researchers by exposing potential privacy violations via client hints and providing help in developing remediation strategies as well as further research.
@inproceedings{article_ares2024_wiefling,
  author = {Wiefling, Stephan and Hönscheid, Marian and {Lo Iacono}, Luigi},
  title  = {A {Privacy Measure Turned Upside Down? Investigating the Use of HTTP Client Hints on the Web}},
  booktitle = {19th {International} {Conference} on {Availability}, {Reliability} and {Security}},
  series = {A{RES} '24},
  location = {Vienna, Austria},
  doi = {10.1145/3664476.3664478},
  publisher = {ACM},
  month = aug,
  year   = {2024},
}