prebid-server icon indicating copy to clipboard operation
prebid-server copied to clipboard

Published 20 hours ago verified publisher icon prebid

Client Hint support.

Open pm-harshad-mane opened this issue 1 year ago • 7 comments

We discussed this issue in PBS PMC meeting on 15th March 2023. Client Hint support. PBS is passing device.sua through to adapters. Should we consider: host company config for responding with Accept-CH. But his may only be relevant for servers in the first-party domain forwarding client-hint headers to bidders (Sec-CH-*) @pm-harshad-mane and @bretg to discuss offline and open an issue as necessary.

pm-harshad-mane avatar Mar 16 '23 03:03 pm-harshad-mane

Here are the findings: Referring to: https://developer.chrome.com/articles/user-agent-client-hints/#hint-scope-and-cross-origin-requests

By default, Client Hints will only be sent on same-origin requests. That means if you ask for specific hints on https://example.com, but the resources you want to optimize are on https://downloads.example.com they will not receive any hints.

To allow hints on cross-origin requests each hint and origin must be specified by a Permissions-Policy header. To apply this to a User-Agent Client Hint, you need to lowercase the hint and remove the sec- prefix.

The example given on the above-mentioned page has example.com publisher domain and the browser treats downloads.example.com as cross-origin.

PBS hosted on ssp.com will also be treated as third-party by the browser but needs to verify whether the given solution of setting the Permissions-Policy header by the publisher will work for domains not having the same TLD.

CC: @bretg

pm-harshad-mane avatar Mar 16 '23 03:03 pm-harshad-mane

Thanks @pm-harshad-mane, but perhaps you could help boil this down to the PBS impacts?

What I'm gathering is that PBS returning an Accept-CH header wouldn't do any good because PBS is never the exact same origin.

But does it make sense to forward any Sec-CH-* headers received on the request through to bid adapters?

bretg avatar Mar 17 '23 14:03 bretg

Discussed in committee. We agreed that forwarding the headers may make technical sense, but that we should discuss with legal whether these things should be forwarded in anonymization scenarios.

bretg avatar May 10 '23 19:05 bretg

Reviewed with Prebid Legal. It was agreed that passing low-entropy client-hint headers through to bid adapters is fine. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Client_hints for a definition of which headers are considered low entropy. Currently the list is: Save-Data, Sec-CH-UA, Sec-CH-UA-Mobile, Sec-CH-UA-Platform.

bretg avatar Jun 27 '23 20:06 bretg

@ShriprasadM can you please look into this ticket?

pm-harshad-mane avatar Sep 29 '23 04:09 pm-harshad-mane

@ShriprasadM can you please look into this ticket?

@pm-harshad-mane : Sure will check with the team. @pm-harshad-mane and @bretg : Please let me know if my understanding is correct here.

  1. PBS hosting suppose to ensure that Accept-CH response header is set with required client hints as values.
  2. PBS suppose to pass on low-entropy client-hint headers (Save-Data, Sec-CH-UA, Sec-CH-UA-Mobile, Sec-CH-UA-Platform), though bidder is not setting Accept-CH response header

ShriprasadM avatar Sep 29 '23 06:09 ShriprasadM

Done in PBS-Java 2.6.

@ShriprasadM - the only work item is to pass the low-entropy client-hint headers through to bidders. As noted above, "PBS returning an Accept-CH header wouldn't do any good because PBS is never the exact same origin."

bretg avatar Jan 04 '24 20:01 bretg