The Sec-CH-UA-Form-Factors client hint (new http header)

Starting from Chrome 124, Chrome will support a new client hint: Sec-CH-UA-Form-Factors.

This client hint is part of the privacy sandbox project. It is not sent by default, as it is considered a high-entropy hint. Thus, this new feature has no impact unless a site requests the hint (cf section below).

It describes how the user interacts with the browser/device, e.g through a desktop device, through a watch or even through an automotive device. For the moment, the possible values listed in the specs are the following: "Desktop", "Automotive", "Mobile", "Tablet", "XR", "EInk", or "Watch”:
  • "Desktop" refers to a browser running on a personal computer.
  • "Automotive" refers to a browser embedded in a vehicle.
  • "Tablet" refers to a touch-oriented device larger than a mobile device.

    • What’s the purpose of this new client hint?

    The Sec-CH-UA-Form-Factors client hint aims to help websites customize resources and the presentation based on the type of devices used by the user to provide a better user experience. It helps websites to avoid using fragile user-agent detection based on the user-agent string.

    When will Sec-CH-UA-Form-Factors be available?

    It will be released in Google Chrome 124, both on desktop, mobile, and webview. Note that it was in dev trial since Chrome 122 behind the ClientHintsFormFactor flag, so you might see Chrome browsers older than version 124 with this header.

    Is there any fingerprinting/privacy risk linked to this client hint?

    As usual, Google conducted a privacy/fingerprinting impact study before delivering these kinds of features. Even though it is considered a high-entropy hint, and therefore is not sent by default, Google concluded that there’s no risk of active fingerprinting as “the factors can already be retrieved from the user agent.”

    As a website, how can I collect the value of this new header?

    You have two possibilities to collect the value of Sec-CH-UA-Form-Factor:

    1. On the server-side you can include Sec-CH-UA-Form-Factor in the Accept-CH HTTP response header by doing the following:. Accept-CH: Sec-CH-UA-Form-Factors
    2. On the client side, you can obtain it using NavigatorUAData.getHighEntropyValues with "formFactor" included in the hints argument.

      3. Other recommended articles

      Everything you want to know about the user agent HTTP header

      This article presents everything you need to know about the user agent HTTP header: its origin, how it can be used to infer the user OS/browser, as well as the limits of using the user agent for security purposes.

      Read more

      Published on: 16-04-2024

      The Zstd accept-encoding header

      News: Zstd encoding has been added to Google Chrome starting from version 123. You may start seeing the Zstd value in the accept-encoding headers in your logs on recent Chromes.

      Read more

      Published on: 12-04-2024

      What are HTTP headers

      This article provides an overview of the HTTP headers. We explain their role on the web and go through the main headers such as the user-agent, accept-encoding and referer to provide more details.

      Read more

      Published on: 27-03-2024