28 comments

[ 3.0 ms ] story [ 50.8 ms ] thread
Dug into chrome.dll and figured out how the x-browser-validation header is generated. Full write up and PoC code here: https://github.com/dsekz/chrome-x-browser-validation-header

Why do you think Chrome bothers with this extra headers. Anti-spoofing, bot detection, integrity or something else?

Making it easier to reject "unapproved" or "unsupported" browsers and take away user freedom. Trying to make it harder for other browsers to compete.
I have two questions:

1. Do I understand it correctly and the validation header is individual for each installation?

2. Is this header only in Google Chrome or also in Chromium?

I had the same question (2). https://news.ycombinator.com/item?id=44560664

If it's only in the closed-source Chrome, then it seems it's intended to help Google's servers distinguish between Google's own products and others.

But I've never seen a Google site which worked less-well in Chromium than in Chrome, so I'm somewhat skeptical of this. Perhaps there are exceptions

(comment deleted)
Is it not likely that it protects against AI bot Llama?
I don't see how you can "protect" against a large language model that cannot do browsing.
> Why do you think Chrome bothers with this extra headers. Anti-spoofing, bot detection, integrity or something else?

Bot detection. It's a menace to literally everyone. Not to piss anyone off, but if you haven't dealt with it, you don't have anything of value to scrape or get access to.

Bots can easily copy the header though so I don't see how that helps?
I have to imagine Google added these headers to make it easier for them to identify agentic requests vs human requests. What angers me is that this is yet another signal that can be used to uniquely fingerprint users.
It doesn't really meaningfully increase the fingerprinting surface. As the OP mentioned the hash is generated from constants that are the same for all chrome builds. The only thing it really does is help distinguish chrome from other chromium forks (eg. edge or brave), but there's already enough proprietary bits inside chrome that you can easily tell it apart.
I'm more concerned that whether intentional or not this will probably cause problems for users who use non-chrome browsers. Like say slowing down requests that don't have this header, responding with different content, etc.
How does that work, though? I have a bunch of automated tasks I use to speed up my workflows, but they all run on top of the regular browser that I also use. I don't see how this war is winnable? (not without tracking things like micro-movements of the mouse that might be caused by being a human etc)
This should be somewhat alarming to anyone who already knows about WEI.

I wonder if "x-browser-copyright" is an attempt at trying to use the legal system to stifle competition and further their monopoly. If so, have they not heard of Sega v. Accolade ?

I'm a bit amused that they're using SHA-1. Why not MD5, CRC32, or (as the dumb security scanners would recommend) even SHA256?

Probably any cryptographic hash function would have done.

My suspicion is that what they're trying to do here is similar to e.g. the "Readium LCP" DRM for ebooks (previously discussed at [1]): A "secret key" and a "proprietary algorithm" might possibly bring this into DMCA scope in a way that using only a copyrighted string might not.

[1] https://news.ycombinator.com/item?id=43378627

And why should anyone with a sane mind (except for Googlers) allow this kind of validation bs to exist?
Why would they think this was a good idea after losing the chrome anti-trust trial? I don't know the intended purpose is for this, but I can see several ways this could be used anti-competitive way, although now it has been reverse engineered, an extension could spoof it. On the other hand, I wonder if they intend to claim the header is a form of DRM and such spoofing is a DMCA violation...
If you were using a user agent spoofing extension couldn't this be used to guess your "real" UA?
It looks like it's an SHA hash, so working backwards would probably be prohibitively irritating.
FYI: Google enterprise workspace admins can enable policies which e.g. prevent login ability to google.com properties to only Chrome browsers.

I wonder if this is header is not connected in some way to that feature.

I think it’s difficult to argue that Google doesn’t have the right and capability to build their own private internet, I just also think they’d like to make the entire internet their own private internet, and do away with the public internet, and I’d really prefer they not do that.
Is an "api key" like this covered by copyright? Would that technically mean that spoofing this random sequence of numbers would require me to agree to whatever source license they offer it under, since I wouldn't know the random sequence unless I read it in their source?

That's an odd possibility.

Anti-reverse-engineering clauses in EULAs are limited and exceptions are always present for interoperability. The same goes for copyright. It's hard to argue that this key is secret if it's widely and publicly distributed.

Ironically, Google just fought with Oracle a case around similar concepts.

Two questions:

Which version of chrome is the first to implement these headers?

What are the potential effects of these headers on chromium forks, e.g. ungoogled chromium?

How do I set this in Firefox?
Is there a way to prevent Chrome from sending those headers?
Does the open-source Chromium generate this header as well? (Perhaps with a slightly different UA as input.)

Or is it exclusive to the closed-source Chrome codebase?