nickr

🔥 Just scored 190 points (Expert level) on our Bot Detection Challenge Built this as internal training - turned out way more fun than expected Think you can beat my score? It's trickier than it looks 👀 Accuracy + speed both count, just like real systems https://t.co/1GIX0lXWJi

I was reading a HN post about a new Chrome header `x-browser-validation` that appeared in the wild. The quality of the discussion is just absolutely abysmal, but it turns out to be quite interesting: - I first tried to validate if the post is actually talking about something real and the answer is: Not really. At least not generally. You can easily validate by going to any[See below] website and check devtools. - Chrome does NOT actually generally send a new header called x-browser-validation (a lonely commenter on HN realized this but was ignored) - However, knowing Google quite well, I was like: “Maybe it is real, but they only send it to their own properties” - Turns out that is right. https://t.co/S9khBbdbWS and https://t.co/aZC3iGVPgv (at the very least) actually do get the header - Can it be used for tracking? Not really, it’s sha1(userAgent + hardCodedAPIKeyThatIsNowOnGithub) - Can it be used for validating real browsers? No, cause, like, it’s a hard coded value - What is it for then: My guess is that this is used to remove noise from experimentation that happens during Chrome version and potentially feature roll out. It must be a use case where there is more accidental spoofing than malicious activity