UACH in CORS

[willyaranda]

Hi,

I'm reading this https://web.dev/migrate-to-ua-ch/#strategy:-delegating-hints-to-cross-origin-requests and I think it does not cover our use case, so let me send this question.

We have a SDK that our customers link in their web pages to create WebRTC sessions. We have a QOS endpoint where we send our WebRTC stats along other internal stuff for debugging. We are using the user-agent header, and we are moving to the UACH (for example, Win11 on Edge cannot be detected using the user-agent header, as it is reporting itself as Win10)

If I'm not mistaken, our customers need to include in their webpages a Permissions-Policy header, and there is no way we can ask for that information directly in the headers of our QoS endpoint (which is in our domain, and not in the customer domain).

Is that correct? Could be using the JS API the only option for us right now? (and then sending the information we want like OS version and model directly in the payload to our QoS endpoint?)

Thanks!

[abeyad]

Thanks for your question!

If I'm not mistaken, our customers need to include in their webpages a Permissions-Policy header, and there is no way we can ask for that information directly in the headers of our QoS endpoint (which is in our domain, and not in the customer domain).

Yes, that's correct. The top-level site would need to delegate in the Permissions-Policy header that the embedded requests should also send the client hints in the request headers; the embeds are not able to control themselves what client hints they receive.

Could be using the JS API the only option for us right now? (and then sending the information we want like OS version and model directly in the payload to our QoS endpoint?)

For your case, using the JS APIs to get the client hint information and sending it in the request payload is definitely a way (and probably the only way) to get around the problem.

Hope this helps.