前陣子 Chromium 團隊在研究要移除 User-Agent
字串的事情 (參考「User-Agent 的淘汰提案」),結果 kiwibrowser 就直接炸下去,Google 很久前就會針對自家網站送出 x-client-data
這個 HTTP header,裡面足以辨識使用者瀏覽器的單一性:「Partial freezing of the User-Agent string#467」。
在 Google 的白皮書裡面是說用在 server 的試驗:
We want to build features that users want, so a subset of users may get a sneak peek at new functionality being tested before it’s launched to the world at large. A list of field trials that are currently active on your installation of Chrome will be included in all requests sent to Google. This Chrome-Variations header (X-Client-Data) will not contain any personally identifiable information, and will only describe the state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation.
The variations active for a given installation are determined by a seed number which is randomly selected on first run. If usage statistics and crash reports are disabled, this number is chosen between 0 and 7999 (13 bits of entropy). If you would like to reset your variations seed, run Chrome with the command line flag “--reset-variation-state”. Experiments may be further limited by country (determined by your IP address), operating system, Chrome version and other parameters.
但因為這個預設值開啟的關係,就算關掉後也足以把使用者再分類到另外一個區塊,仍然具有高度辨識性,不是你 Google 說無法辨識就算數。
另外如果看 source code 裡的說明:
// Note the criteria for attaching client experiment headers: // 1. We only transmit to Google owned domains which can evaluate // experiments. // 1a. These include hosts which have a standard postfix such as: // *.doubleclick.net or *.googlesyndication.com or // exactly www.googleadservices.com or // international TLD domains *.google.or *.youtube. . // 2. Only transmit for non-Incognito profiles. // 3. For the X-Client-Data header, only include non-empty variation IDs.
可以看到 *.doubleclick.net
、*.googlesyndication.com
與 www.googleadservices.com
全部都是廣告相關,另外 Google 自家搜尋引擎是直接提供廣告 (不透過前面提到的網域),YouTube 也是一樣的情況,所以完全可以猜測 x-client-data
這個資料就是用在廣告相關的系統上。
The Register 在「Is Chrome really secretly stalking you across Google sites using per-install ID numbers? We reveal the truth」這邊用粗體的 Update 提到了 GDPR 的問題,不確定是不是開始有單位在調查了:
Updated Google is potentially facing a massive privacy and GDPR row over Chrome sending per-installation ID numbers to the mothership.
在這個問題沒修正之前,只能暫時用操作 HTTP header 的 extension 移掉這個欄位。