Comment by dmtroyer
6 years ago
I must be dense but I never see the `x-client-data` header in the request headers of the network tab in developer tools.
6 years ago
I must be dense but I never see the `x-client-data` header in the request headers of the network tab in developer tools.
I just checked, I see it on Chrome when fetching resources from google.com, youtube.com, gstatic.com, and googlesyndication.com.
Try a packet capture. You wouldn't trust the browser to let you know all shady emails it is sending, right? :)
This did come to mind, hah.
I BELIEVE it is related to this section: https://github.com/chromium/chromium/blob/2e452bbf1fa092a742...
Right-click in the Name column, select "Save all as HAR with content". Then grep for the headers, e.g.,
While running Chrome, try
Handle to the shared memory segment containing field trial state that is to be shared between processes. The argument to this switch is the handle id (pointer on Windows) as a string, followed by a comma, then the size of the shared memory segment as a string.
Also, can try typing "chrome://versions" in the address bar
https://superuser.com/questions/541466/what-is-the-variation...
https://www.ghacks.net/2013/04/05/field-trials-in-chrome-how...
Further reading:
https://chromium.googlesource.com/chromium/src/+/master/comp...
https://chromium.googlesource.com/chromium/src/+/master/comp...
I just tried it now on google.com, and it sent it in 6 requests. You can ctrl+f in developer tools in Chrome.
I think extensions can filter out the x-client-data header, though Google should definitely make this data collection opt-in.
GDPR is very clear about this data being personal information [1], since Google has access to the IP address on the receiving end, which has been repeatedly tested in courts as being personal data.
Google is engaging in personal data harvesting without user consent and control, and no amount of mental gymnastics presented in their privacy whitepaper [2] will save them in courts.
[1] https://ec.europa.eu/info/law/law-topic/data-protection/refo...
[2] https://www.google.com/chrome/privacy/whitepaper.html#variat...
Oh interesting, it must be an extension that is filtering it out for me (Ghostery, DDG Privacy Essentials or Adblock Plus in my case)
Can you also test under the incognito mode?
i've checked this already, chrome doesn't send this header in incognito mode, and this is really good
It seems that it does not send "x-client-data" header in private mode, but it sends it when browsing regular mode.
But unless you changed IP, and other machine characteristics they'll be able to link the machine-id with an alternative fingerprint (cf amiunique/panopticlick).
That would mean they are actually not tracking you (via that method at least) in private mode. I was just about to investigate how or if they were tracking in porn mode.
It's limited to Google properties.