Structured request headers deployment issues

Yoav Weiss <> Mon, 15 June 2020 22:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3B05C3A0E9C for <>; Mon, 15 Jun 2020 15:19:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.648
X-Spam-Status: No, score=-2.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id U8PFCHlOA8-m for <>; Mon, 15 Jun 2020 15:18:59 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 72F2F3A0E9B for <>; Mon, 15 Jun 2020 15:18:58 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1jkxOJ-00014m-4j for; Mon, 15 Jun 2020 22:15:43 +0000
Resent-Date: Mon, 15 Jun 2020 22:15:43 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jkxOE-000140-Rz for; Mon, 15 Jun 2020 22:15:38 +0000
Received: from ([2a00:1450:4864:20::131]) by with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <>) id 1jkxOB-0001iA-15 for; Mon, 15 Jun 2020 22:15:38 +0000
Received: by with SMTP id d27so5939119lfq.5 for <>; Mon, 15 Jun 2020 15:15:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:from:date:message-id:subject:to:cc; bh=j00wCmBTdXOoXtNGE/lNQd5eOyfUgzuC1BfNg1JgOcU=; b=DjQsNe4BWwoZxY+Sh9Z3fqla5M+0AxLo6BAnr7UeBltAxHVdEuJHTwfBXFtJU97giE 43pj1p2Yz3H65y/pjVzeRgEkfH0oSMC9/u4psZ1OxikSv9ex5JYueSaZojwUPDeBtoUj nxyba3cV0fC2dI1MsZPlqSRWW+Wa9L5M3kGXeQuvliM32i0fsolY4AtaHwVGIiGD0aVZ 6k9rZ8LQZ4HHjzAF6wHVnysYsFP5BghWdeD4muxKhTRuMMIjgVDGw1AiBTIGcj78UJ5z E6t5rxaI2fG/y8zV99FwoKHsEbWrxm8IuP12S78gL+788vfp5y0Q9/jRUuLv+EBxo5AG QZsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=j00wCmBTdXOoXtNGE/lNQd5eOyfUgzuC1BfNg1JgOcU=; b=BN4g7gqiMwdxYpgraIm7iPEkRyJama+bCGnLTRIeVebCB0e3Ees9wvjeMfM5ueEgUI 5EdiNjf4a73VKS0cIyeRB34tWXu1ewPaRs+MPWOvqwBQX3eDQDkK4ox9qNbpuMIN+DVv eYc8OPUXxgt6uPul7AOfzuAVYD2hAEBbNURJYqj8tVj/Dyim3I2wjiC6hDUcE4cmApx3 06OyxzfJ8YnFRJ0ZpNim/LpIRhaZDnhLM9Dt62bHWv4WI4em8HD9T1L0fFJ3QernqYZv 0B2HfkWCLsom1YaUbzQmrQLLZFLlbkaji/S1YSK65B3waxhyPhuNKNh5i34KZqWvliMY ohxg==
X-Gm-Message-State: AOAM533l7tMFPRn3m3+I4PqCzStBzaFkiAkrU9vnNicNovrEgnfqo0x2 ErHBPsDMPhDpgCvhxC8mihEgxQSjXKzH2gWqVs5graoW
X-Google-Smtp-Source: ABdhPJwve77+crXEPS/TC0OutlRzpwxurYPfq54Agz9+HieOsoJXuHy+74m3x07uFK9JH4znWf4H+p3dFVJ8bOWlG/Y=
X-Received: by 2002:ac2:5f07:: with SMTP id 7mr64177lfq.132.1592259322619; Mon, 15 Jun 2020 15:15:22 -0700 (PDT)
MIME-Version: 1.0
From: Yoav Weiss <>
Date: Tue, 16 Jun 2020 00:15:06 +0200
Message-ID: <>
To: " Group" <>
Cc: Mark Nottingham <>, Tommy Pauly <>, Ilya Grigorik <>, Mike West <>
Content-Type: multipart/alternative; boundary="00000000000050c43305a826c30c"
Received-SPF: pass client-ip=2a00:1450:4864:20::131;;
X-W3C-Hub-Spam-Status: No, score=-8.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: 1jkxOB-0001iA-15 64b77f17c53ea5686777f00b25afc2fb
Subject: Structured request headers deployment issues
Archived-At: <>
X-Mailing-List: <> archive/latest/37769
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

Hey all,

Chromium M84 (which Chrome equivalent is now in Beta) has User-Agent Client
Hints enabled by default, which is using Structured Headers.

As a result of that, we found multiple sites
<> which seem
to have a somewhat allergic reaction to the presence of certain characters
(that are part of the SH format) in request values.
While each site in question is different (in what appears to be coming from
different stacks), we've seen sites that reject requests with quotes,
question marks or equals signs in them.
It's still early, so it's hard to know how widespread the issue is, but we
seem to be adding sites to the list at a faster pace than the pace of
removing fixed ones from it.

So, I wanted to give this group a heads-up on that front, and maybe get
folks' opinions regarding possible things we could do on that front, other
than outreach and waiting for said sites to fix themselves.