Ddonovxn
- Nov 4, 2024
- Joined Dec 15, 2023
The next version of Vanadium will set placeholder client hints based on the standard reduced Chrome user agent to provide a frozen form factor (Mobile or Desktop), model (K), platform version (10.0.0) and reduced browser version number (such as 121.0.0.0) without the full details instead of removing the high entropy client hints. It's possible this will improve compatibility with this broken app unless it depends on leaking the precise browser version, and it seems very unlikely that they hard-wire each Chrome version. We can do a new release soon for people to test.
No, GrapheneOS is not breaking compatibility by removing optional new headers providing OS and device model information.
I never wrote that. I'm aware that the blame is not with GrapheneOS but with them. Wasn't that clear enough?
It's not reasonable for a site to break compatibility because the browser isn't giving it that info or fake information about it.
Yes, that is well established. What I suggested was that Vanadium could be the one making a compromise for the sake of the users, because the companies involved don't care and it's hard to convince them to change their ways.
I know that implementing such a compromise wasn't really fair, because it puts the burden in the wrong party.
We will not add OS and device model info back to the headers. It's not reasonable for a site to break compatibility because the browser isn't giving it that info or fake information about it.
Fair enough. I just wanted to throw the idea out there to see what you had to say. I was expecting this response, but it's good to make that crystal clear nonetheless.
- Edited
Adding code to Vanadium to put back those headers, plus UI and preference code to conditionalize on domains, wouldn't be impossible, but it would be work, and that work wouldn't be pro-security or pro-privacy.
Absolutely, I completely agree. It's the biggest drawback of my proposal: it's work. I'm aware that UI preference code needs to maintained, plus I'm not sure how easy it is to make the header behaviour work differently on a per-domain basis.
I was hoping that all the necessary hooks are in place and it would be a low-hanging fruit, so to speak. If it's not too much work it could become appealing in terms of work/reward ("reward" in terms of sucking less).
Maybe even without UI, to reduce the work and stress this is not really an advertised user-facing feature. Drop a list of domains in a magic JSON file in a specific directory in
/sdcard. :-)It might not be hard for somebody to build a browser which would be exactly Vanadium plus the silly headers (maybe call it Scandinavium?).
This could also be viable. The potential problem is that another browser will not be GOS' WebView component. Depending on what the app is doing, it might rely on WebView instead of opening a custom tab of the default browser.
Then maybe some journalist could write a piece about how silly the situation is (or maybe one journalist per country plus Ars Technica?), and maybe the silly people might be shamed into being less silly?
That would be the best outcome all around. These companies only change if a decision-maker is embarrassed. I have personally worked in a number of Danish companies in this domain (financial/authentication sector), and they're absolutely not going to care about a niche OS used by few people that have a specific phone and have wiped it to install another one.
Because I know that this is the reality, I don't hold my breath for them to changing their ways in a timescale that is less than years, at least in the absence of some event that forces their hand.
Hey @GrapheneOS, just one idea for you to consider.
First off, let me say we are all in agreement that many important apps (many would even say essential) in Denmark are very finicky and don't work in GrapheneOS due to a lot of security theater bullshit. That's on them, that's not GrapheneOS' fault.
But being realistic, whoever lives in Denmark cannot avoid these apps. Maybe some, almost certainly not all. It's just how the government/society is set up. What's going to happen is either:
- they need to use some workarounds, such as different browsers (or worse: making them the default)
- they stop using GrapheneOS
In both of these scenarios, the user privacy is greatly compromised compared if they could stay using the option provided by GOS. Even though GOS made the right technical choice, it didn't really help the user since they're forced to use something else instead which is much worse for them.
Now, here comes the suggestion for you to think about. What if Vanadium offered the choice to relax the "header hardening" setting (for the lack of a better expression) on a per-domain basis? This could be an expert setting that is very hidden (like tap 5 times somewhere) so you can't just stumble upon it, but if you really need it like the users in this thread, then you could enter the particular problematic domains, and then it would solve the issue for these users. No need to even allow disabling on a global basis.
Sure, this compromises privacy for these domains, but it's going to be compromised anyway because the users here are forced to install Chrome or something else. And worse, make those the default browser which ends up affecting everything else. With the suggestion above, they could relax the headers just for
mitid.dk, andmobilepay.dk(or whatever other domain they need) with a much lesser privacy risk, as they can continue to use a hardened browser for their daily needs with the full protection that it brings.You may have considered this already, I don't know. But I wanted to put this suggestion out there because it may be a good compromise, as it solves the immediate Danish users' needs, and they will also come less often here to vent. :-)
