should sec-ch-ua headers be visible in FetchEvent.request.headers

[wanderview]

Currently the spec requires that user-agent header be set after the service worker fetch handler, so the user-agent header is not visible on FetchEvent.request.

Client hints headers in general, however, are added prior to service worker processing:

https://wicg.github.io/client-hints-infrastructure/#fetch

This results in the new sec-ch-ua headers appearing on FetchEvent.request which seems inconsistent with not exposing user-agent.

What do folks think we should do here? Accept the difference between sec-ch-ua and user-agent? Align sec-ch-ua with current user-agent behavior?

@annevk @jakearchibald @youennf

[wanderview]

This affects fetch-request-xhr.https.html WPT test.

[jakearchibald]

Is the content of these headers defined anywhere? It isn't clear what they contain.

Is there a security reason to prevent them being visible in the service worker?

I think the user-agent header can already be overridden by script, whereas client hints cannot, as they start with sec-, although it looks like they may drop that requirement.

Do we know what behaviour they want?

[wanderview]

@yoavweiss can hopefully answer that.

[yoavweiss]

Is the content of these headers defined anywhere? It isn't clear what they contain.

https://wicg.github.io/ua-client-hints/

Do we know what behaviour they want?

For other client hints (which may vary over time), it seems critical for the Service Worker to see the hints so that it can respond with the right variant.
For UA-CH specifically, I don't see any harm in exposing them, but there's also no huge benefit in doing that, other than simplifying the processing model and implementations.

[yoavweiss]

/cc @amtunlimited

[annevk]

There's a set of low-level problem with these headers that hasn't been resolved, e.g., whatwg/fetch#1000. There's also whatwg/fetch#726 from 2018 without many updates.

[jakearchibald]

@annevk can you remember why the user agent header is added so late in fetch?

[annevk]

That's how implementations did it and I don't think we considered changing that when adding service workers.