What is following header for: X-Chrome-Variations?

Question

I was looking at http requests sent by chrome in Fiddler, and I noticed following http header which puzzles me:

 X-Chrome-Variations: CNa1yQEIjrbJAQiYtskBCKK2yQEIp7bJAQiptskBCLmDygE= 

This is a base64 encoded 35-byte array:

8,214,181,201,1, 8,142,182,201,1, 8,152,182,201,1, 8,162,182,201,1, 8,167,182,201,1, 8,169,182,201,1, 8,185,131,202,1 

I've seen several examples of this number on the web.

Can anyone explain to me what this is, and why chrome sends it out (and if it could be used to identify/track me)?

Answer 1

Google Chrome developers test experimental features by enabling a feature for a small random selection of Chrome installs and watching how the feature works. The common term for this is field trials. When Google Chrome runs for the first time, it generates a random number between 1 and 8192 and later uses it to determine whether to participate in a particular field trial.

The "Google Chrome and Privacy" whitepaper (PDF, October 2012, current as of Chrome 22.0.1229.79) provides these details.

To help guide the construction of features that users actually find useful, a subset of users may get a sneak peek at new functionality before it’s launched to the world at large. The field trials that are currently active on your installation of Chrome will be included in all requests sent to Google servers to allow Google to filter logs for only those generated by a given variation of Chrome. This Chrome-Variations header will not contain any personally identifiable information, and will strictly describe the state of the installation of Chrome itself.

The variations active for a given installation are determined by a seed number between 1 and 8192 (13 bits of entropy) which is randomly selected on first run. If you would like to reset your variations seed, run Chrome with the command line flag “--reset-variation-state”.

Google Chrome sends information about which field trials are currently active to all domains of the form *.google.<TLD> (where .<TLD> is a top-level domain, such as .com, .org, .co.uk, .cn, .biz and so on). Most but not all of those domains are owned by Google. The field trial identifiers are stored in a protocol buffer, encoded with base64 and sent in the X-Chrome-Variations header. If you have opted in to send usage statistics and crash reports to Google (a checkbox accessible at chrome://​chrome/​settings/​search#privacy), an X-Chrome-UMA-Enabled: 1 header is also sent. The headers are not sent when in Incognito mode.

Starting with revision 156914 (included in Chrome 23 and later versions according to the release table), the list of field trials is displayed under the Variations title on the about:version page.

The relevant source code is in the chromium/​src/​chrome/​browser/​renderer_host/​chrome_resource_dispatcher_host_delegate.cc file. The headers are sent in the ChromeResourceDispatcherHostDelegate::​AppendChromeMetricsHeaders method. The value of X-Chrome-Variations is constructed in the ChromeResourceDispatcherHostDelegate::​UpdateVariationIDsHeaderValue method. Field trials are defined using the base::FieldTrial class from file src/​base/​metrics/​field_trial.h

As for the ability to track you using those headers, that depends on the uniqueness properties of the actual combination of your field trials, which I'm not aware of. But keep in mind that even if you strip the X-Chrome-Variations headers, disable cookies, local storage and Flash local storage, your browser may still be identifiable using cache fingerprinting techniques or using the combination of the request headers it normally sends, your system configuration info available to JavaScript or Flash and possibly the IP address blocks you tend to use, as demonstrated by EFF's Panopticlick. So the privacy game is basically lost unless you use a carefully configured Tor with Privoxy setup, and even then leaks are possible.