Client Hint support.

[pm-harshad-mane]

We discussed this issue in PBS PMC meeting on 15th March 2023.
Client Hint support. PBS is passing device.sua through to adapters.
Should we consider:
host company config for responding with Accept-CH.
But his may only be relevant for servers in the first-party domain
forwarding client-hint headers to bidders (Sec-CH-*)
@pm-harshad-mane and @bretg to discuss offline and open an issue as necessary.

[pm-harshad-mane]

Here are the findings:
Referring to: https://developer.chrome.com/articles/user-agent-client-hints/#hint-scope-and-cross-origin-requests

By default, Client Hints will only be sent on same-origin requests. That means if you ask for specific hints on https://example.com, but the resources you want to optimize are on https://downloads.example.com they will not receive any hints.

To allow hints on cross-origin requests each hint and origin must be specified by a Permissions-Policy header.
To apply this to a User-Agent Client Hint, you need to lowercase the hint and remove the sec- prefix.

The example given on the above-mentioned page has example.com publisher domain and the browser treats downloads.example.com as cross-origin.

PBS hosted on ssp.com will also be treated as third-party by the browser but needs to verify whether the given solution of setting the Permissions-Policy header by the publisher will work for domains not having the same TLD.

CC: @bretg

[bretg]

Thanks @pm-harshad-mane, but perhaps you could help boil this down to the PBS impacts?

What I'm gathering is that PBS returning an Accept-CH header wouldn't do any good because PBS is never the exact same origin.

But does it make sense to forward any Sec-CH-* headers received on the request through to bid adapters?

[bretg]

Discussed in committee. We agreed that forwarding the headers may make technical sense, but that we should discuss with legal whether these things should be forwarded in anonymization scenarios.

[bretg]

Reviewed with Prebid Legal. It was agreed that passing low-entropy client-hint headers through to bid adapters is fine. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Client_hints for a definition of which headers are considered low entropy. Currently the list is: Save-Data, Sec-CH-UA, Sec-CH-UA-Mobile, Sec-CH-UA-Platform.

[pm-harshad-mane]

@ShriprasadM can you please look into this ticket?

[ShriprasadM]

@ShriprasadM can you please look into this ticket?

@pm-harshad-mane : Sure will check with the team.
@pm-harshad-mane and @bretg : Please let me know if my understanding is correct here.

1. PBS hosting suppose to ensure that Accept-CH response header is set with required client hints as values.
2. PBS suppose to pass on low-entropy client-hint headers (Save-Data, Sec-CH-UA, Sec-CH-UA-Mobile, Sec-CH-UA-Platform), though bidder is not setting Accept-CH response header

[bretg]

Done in PBS-Java 2.6.

@ShriprasadM - the only work item is to pass the low-entropy client-hint headers through to bidders. As noted above, "PBS returning an Accept-CH header wouldn't do any good because PBS is never the exact same origin."