brave-browser: `x-client-data` header should not be sent in requests
Test plan
- Visit youtube.com and open a video
- Open browser dev tools
- Go to network tab
- Reload page
- Inspect the original request and look for headers. You should NOT see an
x-client-dataheader. Prior versions (and versions without this fix) will be sending the header
Updated Issue Description (notes from @bsclifton)
Visiting sites like youtube.com will show a x-client-data header. This wasn’t in Brave for a long time because we didn’t use the variations server. This showed itself recently since we did recently create a Brave-specific variations server. This header should be disabled.
Original Issue Description
There is an ongoing conversation about the Chrome/Chromium x-client-data header here https://github.com/bromite/bromite/issues/480 and here https://github.com/w3ctag/design-reviews/issues/467#issuecomment-581944600
Does Brave Desktop/Android send a unique client ID (x-client-data) to Google properties (google.com etc)? This is considered a “backdoor” for Google (and google only!) to track users even without cookies.
If Brave sends this header - can it be removed?
If Brave doesn’t send this header - maybe worth mentioning in some privacy features list?
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 15 (6 by maintainers)
Commits related to this issue
- 8049: Never send header with variations. Fix https://github.com/brave/brave-browser/issues/8049 — committed to brave/brave-core by iefremov 3 years ago
@bsclifton Yeah I think this our variations service. We need to explicitly disable this header
Verification passed on
Verification passed on
Verified
FIXEDonusing the STR from the description; no
x-client-dataheader was sent.@iefremov yes - I’ll create the uplifts now. We can uplift to 1.20 (release 2)