When discussing Google on Unifying the Content of the User-Agent HTTP Header by Kiwi Browser Developer to Chrome's "X-Client-Data" HTTP header, which potentially EU General Data Protection Regulation (GDPR)). During also criticized the duality of the actions of Google, which on the one hand to block hidden identification and track user actions, but on the other hand, is in no hurry to remove support for the X-Client-Data header from Chrome, which can be used to identify browser instances when accessing Google services.
The X-Client-Data header is not a hidden functionality and its behavior in the documentation. Through X-Client-Data, Google receives data about the activity of certain experimental features in Chrome in relation to its sites (for example, during the experiment, Google can activate certain test features in Youtube if they are supported by the browser or try to correlate emerging problems with activation experimental functions).
Title only for requests to Google sites that match the masks "*.doubleclick.net", "*.googlesyndication.com", "www.googleadservices.com", "*.google.>" and "*.youtube. β, and sent via HTTPS. In incognito mode, the header is not populated, but if the user's authenticated Google profile changes to a guest profile, or when a data wipe operation is called, the header is not reset and continues to be sent with the same value.
It is stated that the title does not contain personally identifiable information, but only describes the status of the Chrome installation and active experimental features. If sending browser usage telemetry and crash reporting is disabled in the settings, only 13 bits of entropy (8000 different combinations) are used to generate the base value of the X-Client-Data header, which is not enough for identification.
Given that the header also encodes some settings and system parameters, in the end, the content of X-Client-Data is quite suitable as an additional data source for indirect user identification in a short period of time (experimental features are turned on and off over time, which leads to to a periodic change in the value in X-Client-Data).
However, in addition to the initial entropy, the X-Client-Data value also uses a seed sequence returned by Google servers and depending on the country, IP address and other criteria that Google considers important (for example, nothing prevents returning a large random sequence , which will become the exact identifier).
In addition, checking against Google domain masks when sending X-Client-Data does not exclude situations where an attacker can register a domain like "youtube.xn--55qx5d" and start collecting identifiers.
Source: opennet.ru