Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is following header for: X-Chrome-Variations?

Tags:

I was looking at http requests sent by chrome in Fiddler, and I noticed following http header which puzzles me:

 X-Chrome-Variations: CNa1yQEIjrbJAQiYtskBCKK2yQEIp7bJAQiptskBCLmDygE= 

This is a base64 encoded 35-byte array:

8,214,181,201,1, 8,142,182,201,1, 8,152,182,201,1, 8,162,182,201,1, 8,167,182,201,1, 8,169,182,201,1, 8,185,131,202,1 

I've seen several examples of this number on the web.

Can anyone explain to me what this is, and why chrome sends it out (and if it could be used to identify/track me)?

like image 695
Arsen Zahray Avatar asked Aug 29 '12 17:08

Arsen Zahray


People also ask

What is Chrome Variations?

Chrome​Variations. Specifies which variations are enabled in Chrome for Windows, Mac, and Linux. Unset: Defaults to Enable Chrome variations, as described below. DeviceChromeVariations. Specifies which variations are enabled in Chrome for Chrome OS.

What is x Client Data header?

The X-Client-Data header is used to help Chrome test new features before rolling them out to all users. The information included in this header reflects the variations, or new feature trials, in which an installation of Chrome is currently enrolled.

How do I reset Chrome variations?

If you would like to reset your variations seed, run Chrome with the command line flag “--reset-variation-state”. Google Chrome sends information about which field trials are currently active to all domains of the form *. google.

What version of Chrome is out?

Chrome for Android Update We've just released Chrome 105 (105.0. 5195.79) for Android: it'll become available on Google Play over the next few days.


1 Answers

Google Chrome developers test experimental features by enabling a feature for a small random selection of Chrome installs and watching how the feature works. The common term for this is field trials. When Google Chrome runs for the first time, it generates a random number between 1 and 8192 and later uses it to determine whether to participate in a particular field trial.

The "Google Chrome and Privacy" whitepaper (PDF, October 2012, current as of Chrome 22.0.1229.79) provides these details.

To help guide the construction of features that users actually find useful, a subset of users may get a sneak peek at new functionality before it’s launched to the world at large. The field trials that are currently active on your installation of Chrome will be included in all requests sent to Google servers to allow Google to filter logs for only those generated by a given variation of Chrome. This Chrome-Variations header will not contain any personally identifiable information, and will strictly describe the state of the installation of Chrome itself.

The variations active for a given installation are determined by a seed number between 1 and 8192 (13 bits of entropy) which is randomly selected on first run. If you would like to reset your variations seed, run Chrome with the command line flag “--reset-variation-state”.

Google Chrome sends information about which field trials are currently active to all domains of the form *.google.<TLD> (where .<TLD> is a top-level domain, such as .com, .org, .co.uk, .cn, .biz and so on). Most but not all of those domains are owned by Google. The field trial identifiers are stored in a protocol buffer, encoded with base64 and sent in the X-Chrome-Variations header. If you have opted in to send usage statistics and crash reports to Google (a checkbox accessible at chrome://​chrome/​settings/​search#privacy), an X-Chrome-UMA-Enabled: 1 header is also sent. The headers are not sent when in Incognito mode.

Starting with revision 156914 (included in Chrome 23 and later versions according to the release table), the list of field trials is displayed under the Variations title on the about:version page.

The relevant source code is in the chromium/​src/​chrome/​browser/​renderer_host/​chrome_resource_dispatcher_host_delegate.cc file. The headers are sent in the ChromeResourceDispatcherHostDelegate::​AppendChromeMetricsHeaders method. The value of X-Chrome-Variations is constructed in the ChromeResourceDispatcherHostDelegate::​UpdateVariationIDsHeaderValue method. Field trials are defined using the base::FieldTrial class from file src/​base/​metrics/​field_trial.h

As for the ability to track you using those headers, that depends on the uniqueness properties of the actual combination of your field trials, which I'm not aware of. But keep in mind that even if you strip the X-Chrome-Variations headers, disable cookies, local storage and Flash local storage, your browser may still be identifiable using cache fingerprinting techniques or using the combination of the request headers it normally sends, your system configuration info available to JavaScript or Flash and possibly the IP address blocks you tend to use, as demonstrated by EFF's Panopticlick. So the privacy game is basically lost unless you use a carefully configured Tor with Privoxy setup, and even then leaks are possible.

like image 129
Till Ulen Avatar answered Dec 10 '22 16:12

Till Ulen