x-client-data header should not be sent in requests

[immanuelfodor]

Test plan

1. Visit youtube.com and open a video
2. Open browser dev tools
3. Go to network tab
4. Reload page
5. Inspect the original request and look for headers. You should NOT see an x-client-data header. Prior versions (and versions without this fix) will be sending the header

Updated Issue Description (notes from @bsclifton)

Visiting sites like youtube.com will show a x-client-data header. This wasn't in Brave for a long time because we didn't use the variations server. This showed itself recently since we did recently create a Brave-specific variations server. This header should be disabled.

Original Issue Description

There is an ongoing conversation about the Chrome/Chromium x-client-data header here bromite/bromite#480 and here w3ctag/design-reviews#467 (comment)

Does Brave Desktop/Android send a unique client ID (x-client-data) to Google properties (google.com etc)?
This is considered a "backdoor" for Google (and google only!) to track users even without cookies.

If Brave sends this header - can it be removed?
If Brave doesn't send this header - maybe worth mentioning in some privacy features list?

[immanuelfodor]

Also submitted this issue to https://github.com/brave/browser-android-tabs/issues/2505 but if the current repo is for the Android browser as well, feel free to close that one and keep only this one open.

[ghost]

If Brave sends this header - can it be removed?

Have you checked? If no, could you? Can't get hands on it rn.

[MitchellNZ]

Just did a quick test on Windows 10.
Can't see Brave sending this request header (like I can when I test on Chrome).
Tested by accessing youtube.com (with and without Brave shields - same result).

[immanuelfodor]

Have you checked? If no, could you? Can't get hands on it rn.

I was using my phone when submitted this (evening), and I'm still on my phone (morning), I'd gladly check it otherwise 😅 If somebody has a laptop, please check it, or I'll report back later in the day when I'm with a desktop.

[immanuelfodor]

Just did a quick test on Windows 10.
Can't see Brave sending this request header (like I can when I test on Chrome).
Tested by accessing youtube.com (with and without Brave shields - same result).

Great news for a start! I have a Linux OS, will see that build, too.

[spacevoyager78]

I find it strange that Chromium doesn't send this header, just Chrome.

[jumde]

@immanuelfodor @WiZaRD13 - This is related to the variations service. Since, variations are disabled in Brave, you should not be seeing the x-client-data header when using Google Services. I verified that this header is not sent if requests to google properties with Brave. If you're seeing this in the requests please let me know.

We have a wiki page to highlight the features we remove or disable in Chromium: https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)

[immanuelfodor]

Sorry for the delay, I managed to check it finally, and it's indeed not there in Brave Desktop.

I suppose it's the same with the Android app as well if they use the same core (and I don't know how to check it there).

[Th3l5D]

Hello,

Sorry to ask to reopen the issue, but I recently saw that Brave Desktop does use this header, at least on youtube.com

Do you know why this header is know part of Brave, and if there is any way to disable it?

[bsclifton]

I was able to verify this header is sent via requests to youtube.com on Nightly (1.22.6) and Release (1.19.92). For example, I'm seeing:

I made sure Google logins for extensions was off (it's off by default) and also I made sure to disable Google like buttons / logins for sites. I wonder if our variations server (not related to Google) is using this and sending it?

@moritzhaller @iefremov is this related to variations server implementation we have? (is our implementation re-using the Chromium code?)

cc: @jumde

[iefremov]

@bsclifton Yeah I think this our variations service. We need to explicitly disable this header

[iefremov]

Follow-up to add tests #14053

[iefremov]

@bsclifton should we uplift?

[bsclifton]

@iefremov yes - I'll create the uplifts now. We can uplift to 1.20 (release 2)

[GeetaSarvadnya]

Verification passed on

Brave | 1.20.104 Chromium: 88.0.4324.152 (Official Build) (64-bit)
-- | --
Revision | 6579930fc53b4dc589c042bec9d0a3778326974d-refs/branch-heads/4324@{#2106}
OS | Windows 10 OS Version 2004 (Build 19041.804)

• Verified the STR from the description

1.20.103	1.20.104

---

Verification passed on

Brave	1.20.104 Chromium: 88.0.4324.152 (Official Build) (64-bit)
Revision	6579930fc53b4dc589c042bec9d0a3778326974d-refs/branch-heads/4324@{#2106}
OS	Ubuntu 18.04 LTS

• Verified the STR from the description

Verified FIXED on

Brave	1.20.104 Chromium: 88.0.4324.152 (Official Build) (x86_64)
Revision	6579930fc53b4dc589c042bec9d0a3778326974d-refs/branch-heads/4324@{#2106}
OS	macOS Version 11.2.1 (Build 20D74)

using the STR from the description; no x-client-data header was sent.