我一直在寻找通过镀铬的提琴手发送HTTP请求,我注意到下面的HTTP标头,我感到困惑:
X-Chrome-Variations: CNa1yQEIjrbJAQiYtskBCKK2yQEIp7bJAQiptskBCLmDygE=
这是一个64位编码的35字节数组:
8,214,181,201,1,
8,142,182,201,1,
8,152,182,201,1,
8,162,182,201,1,
8,167,182,201,1,
8,169,182,201,1,
8,185,131,202,1
我已经看到了网络上的这个数字的几个例子。
任何人都可以向我解释这是什么,以及为什么铬发送出去(如果它可以被用来识别/跟踪我)?
Google Chrome developers test experimental features by enabling a feature for a small random selection of Chrome installs and watching how the feature works. The common term for this is field trials. When Google Chrome runs for the first time, it generates a random number between 1 and 8192 and later uses it to determine whether to participate in a particular field trial.
The "Google Chrome and Privacy" whitepaper (PDF, October 2012, current as of Chrome 22.0.1229.79) provides these details.
To help guide the construction of features that users actually find useful, a subset of users may get a sneak peek at new functionality before it’s launched to the world at large. The field trials that are currently active on your installation of Chrome will be included in all requests sent to Google servers to allow Google to filter logs for only those generated by a given variation of Chrome. This Chrome-Variations
header will not contain any personally identifiable information, and will strictly describe the state of the installation of Chrome itself.
The variations active for a given installation are determined by a seed number between 1 and 8192 (13 bits of entropy) which is randomly selected on first run. If you would like to reset your variations seed, run Chrome with the command line flag “--reset-variation-state”.
Google Chrome sends information about which field trials are currently active to all domains of the form *.google.<TLD>
(where .<TLD>
is a top-level domain, such as .com, .org, .co.uk, .cn, .biz and so on). Most but not all of those domains are owned by Google. The field trial identifiers are stored in a protocol buffer, encoded with base64 and sent in the X-Chrome-Variations
header. If you have opted in to send usage statistics and crash reports to Google (a checkbox accessible at chrome://chrome/settings/search#privacy
), an X-Chrome-UMA-Enabled: 1
header is also sent. The headers are not sent when in Incognito mode.
Starting with revision 156914 (included in Chrome 23 and later versions according to the release table), the list of field trials is displayed under the Variations title on the about:version
page.
The relevant source code is in the chromium/src/chrome/browser/renderer_host/chrome_resource_dispatcher_host_delegate.cc file. The headers are sent in the ChromeResourceDispatcherHostDelegate::AppendChromeMetricsHeaders
method. The value of X-Chrome-Variations
is constructed in the ChromeResourceDispatcherHostDelegate::UpdateVariationIDsHeaderValue
method. Field trials are defined using the base::FieldTrial
class from file src/base/metrics/field_trial.h
As for the ability to track you using those headers, that depends on the uniqueness properties of the actual combination of your field trials, which I'm not aware of. But keep in mind that even if you strip the X-Chrome-Variations
headers, disable cookies, local storage and Flash local storage, your browser may still be identifiable using cache fingerprinting techniques or using the combination of the request headers it normally sends, your system configuration info available to JavaScript or Flash and possibly the IP address blocks you tend to use, as demonstrated by EFF's Panopticlick. So the privacy game is basically lost unless you use a carefully configured Tor with Privoxy setup, and even then leaks are possible.