Nginx support for TLS ALPS extension for ACCEPT_CH?
Matthias Saou
thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net
Sun Feb 25 19:18:56 UTC 2024
Hi,
On Sat, 24 Feb 2024 03:02:35 +0300
Maxim Dounin <mdounin at mdounin.ru> wrote:
> Any specific details about "dropping the User-Agent"? From
> https://developers.google.com/privacy-sandbox/protections/user-agent
> it looks like User-Agent is still here, provides basic information
> about client browser version and platform, and it is not going
> anywhere.
I got it wrong. Looks like all browsers are going to be Netscape 6.1
until the end of times! :-)
My particular issue is actually with what is now sometimes missing from
the User-Agent by default, such as the device brand (Samsung,
Xiaomi...) or the OS version (Windows 10 or 11...).
If you know you need this data, then having a mechanism to keep having
it included in the first http client response would make things a lot
easier.
> Note that the draft-davidben-http-client-hint-reliability draft
> referenced in the Chrome feature (and the user-agent page) expired
> in 2021, and the same applies to the vvv-tls-alps and
> draft-vvv-httpbis-alps drafts. This makes it highly unlikely to
> be ever supported by OpenSSL.
>
> OTOH, if draft-davidben-http-client-hint-reliability is supported,
> the Critical-CH header should make it trivial (though potentially
> suboptimal, compared to ALPS) to request any specific hints if
> they are actually needed. Without ALPS implemented, using the
> Critical-CH header might be a good alternative.
Thanks for the pointer! I just read up on
https://datatracker.ietf.org/doc/html/draft-davidben-http-client-hint-reliability
and the Critical-CH header probably wouldn't be suitable for our use
case (since it will typically trigger a second client connection), but
the ACCEPT_CH frame definitely would, especially given all these recent
clients would be connecting over HTTP/2 or newer. But that draft seems
to also have expired in 2021, no?
So it seems like as of right now, with recent Chrome & Edge clients,
there is no way to have nginx receive more than the 3 default client
hints during the first client http connection?
Cheers,
Matthias
More information about the nginx
mailing list