The browser is a sandbox with a bunch of discoverable features. Those features exist for the user but a side effect is they leak data which individually is probably not interesting but collectively is a fingerprint.
To be less of a fingerprint you'd need to remove JS from the entire web.
Because most of it is useful or even needed. There's perhaps one or two things that can be removed, but not that much.
The rest is just measuring the differences between "doing stuff and seeing what happens". For example if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
From the article, "your screen resolution, time zone, device model and more" are shared. Why? Why does a website need to know these things? I don't get it. My own device of course needs to know, but why does the website that's sending me HTML and CSS and Javascript need to know?
> if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
Why do you need to measure this? The whole point of HTML and CSS was supposed to be to let the user agent render the site in whatever way is best for the user. The website doesn't know what that is; the user does.
The first point - there are usecases but it probably all ought to be user prompted. The vast majority of sites don't need any of it. For example when testing webgpu on chromium I had to globally enable it with a flag which prompted a security warning. A per-site prompt would have been much more secure - I was only using it on localhost.
The second point - you don't need to measure it (that I'm aware) but you _can_ measure it because disparate features that all have legitimate usecases on their own can be leveraged in tandem to accomplish things that weren't intended by the authors of the specification.
> but why does the website that's sending me HTML and CSS and Javascript need to know?
The website doesn't get told by the browser, but the website is sending you Javascript, and the browser will tell the Javascript when the Javascript politely inquires as to the width and height of the root html element, or some element with text in a funny font in it, and the Javascript is then free to report home.
I think hiding layout information like that from Javascript isn't really within reach without a radically different model that breaks a ton of websites.
And when I block js, most websites are still readable. (some even look better!) The fact that some sites work just fine without js mean that most could. Certainly the sites load much, much quickly without the js. 90% of the time all I want is the text, which loads perfectly without it. JS is a huge waste of resources with no real benefit to consumers. Some web apps need it, yes, but even those could still do fine without it. (until recently there was still an HTML gmail app which worked just fine.)
Required for showing the right resolution images. The alternative is blurry images or wasted bandwidth.
> time zone
Most people expect to see times in their local time.
> device model
This could probably be removed but can be useful for showing the right download button. Also I'm not sure this is explicitly shared? I'm curious what exactly they mean here.
Some mobile devices (especially cheap Androids) often have device model numbers and build version in the User-Agent headers. A few examples from a quick look at my access log:
Mozilla/5.0 (Linux; U; Android 15; zh-CN; V2301A Build/AP3A.240905.015.A2) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/123.0.6312.80 Quark/7.13.1.851 Mobile Safari/537.36
Mozilla/5.0 (Linux; Android 13; STYLO RAIN Build/TP1A.220624.014) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.7151.89 Mobile Safari/537.36
Mozilla/5.0 (Linux; Android 14; moto g04 Build/ULA34.89-193; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/137.0.7151.89 Mobile Safari/537.36
All of these contain both the device/model name and specific software version.
This is only an issue on Android and some other devices really (e.g. "smart" TVs and whatnot); I'm not aware of any desktop browser that does that. Not all Android devices do either.
This is a major reason why I stopped storing User-Agent headers in the database for my analytics app. I originally assumed there would be a relatively limited set of headers, but at some point I had millions of unique ones. Now it just stores the extracted information (e.g. "Chrome 137 on Android 14"). It's a pretty silly situation and completely unnecessary, but it is what it is.
> Required for showing the right resolution images.
How many websites is this actually an issue for? I know web developers get all impressed with themselves about putting fancy images on their web pages, but the vast majority of them are simply useless decoration.
> Most people expect to see times in their local time.
So have a built-in widget in the browser that takes a time in UTC from the server and converts it to local time (if the user has that setting enabled in their browser settings) based on the computer's time zone.
Even client side Javascript could do this without having to tell the server anything about the client's time zone.
> can be useful for showing the right download button
How about just letting the user select the right download button?
It’s been getting progressively stripped back but there’s risk of breaking changes too. Lots of websites started breaking when Apple did something as simple as updating the OS version from 10 to 11 in the user agent.
The referer field has had the path removed or even dropped outright for some browsers.
> Lots of websites started breaking when Apple did something as simple as updating the OS version from 10 to 11 in the user agent.
Of course I know that in practice websites have been modifying their behavior based on the user agent string for years. But at least that information is supposed to be shared per the specs.
What I don't understand is why browsers are sharing lots of other information beyond the user agent string.
Because they pretty much all power some kind of actual functionality. Users want the website to show up in their timezone, in their language, and to respect the light/dark mode options. Those are all legitimate functions, which also get used for tracking.
Security and privacy focused browsers and tools like Apple Lockdown Mode make some pretty significant compromises to maximise security.
Partly because Mozilla upper leadership hasn't been sufficiently aligned with privacy, security, nor liberty. And when they try, it's like a random techbro who latches onto a marketing angle, but doesn't really know what they're doing, and might still not care beyond marketing. And would maybe rather have the same title at Big Tech, doing the exploiting.
Also, no matter how misaligned or disingenuous a commercial ambassador to a W3C meeting was, Tim Berners-Lee is nice, and would never confront someone, on lunch break, in a dimly-lit parking lot, and say "I will end you".
