A set of 4 hints (`dpr`, `width`, `viewport-width`, and `device-memory`) have a default allowlist of `self` but behave as though they have a default allowlist of `*` on Android. The default allowlist of `*` goes against the Client Hints Infrastructure standard; fixing this will increase privacy on Android by requiring explicit delegation of these hints.

Motivation

One residue of the rapid Client Hints Infrastructure iteration is the concept of a `legacy` client hint. It’s a set of 4 hints (`dpr`, `width`, `viewport-width`, and `device-memory`) which have a default allowlist of `self` (meaning that they are not sent to third-party subresources unless delegated via Permissions Policy) but behave as though they have a default allowlist of `*` (meaning they are sent to third-party subresources as long as the first-party page requests them) on Android.

Specification

Specification link


Specification being incubated in a Community Group

Status in Chromium

Blink>Network


Proposed (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signals

Owner

Last updated on 2022-04-09