Page MenuHomePhabricator
Create Task
Maniphest T418989

CheckUser: Store x-is-browser, x-ja3n and x-ja4h CDN header values
Closed, ResolvedPublic
Actions

Description

Summary

The Wikimedia CDN edge layer sets an x-is-browser, x-ja3n, and x-ja4h request header containing a score indicating how likely a request is from a browser vs a script. Values above 80 suggest a browser; below 20 suggests a script. This value should be stored by CheckUser. In another task, we can figure out how to suface this information to Checkusers. See CDN/Backend_api for details.

Technical notes

Three storage approaches are considered:

  • New columns on CU tables (e.g. cuc_is_browser, cuc_ja3n, cuc_ja4h): Simple and fast to query. However, it may not store the raw value for these pieces of information and would be de-normalised if we did store the raw value.
  • Reusing cu_useragent_clienthints tables: The anti-spoofing guard in UserAgentClientHintsManager::insertClientHintValues rejects writes when mappings already exist for a reference ID, which would conflict with the JS API write path for browser-provided Client Hints. To work around this, we would need to update the handling to ignore these data points when checking if Client Hints had already been submitted. Additionally, we are adding non-Client Hints data to a table marked as storing Client Hints
  • New dedicated table (e.g. cu_request_headers): A key/value table with a mapping table, following the same pattern as cu_useragent_clienthints but for server-side CDN headers with no anti-spoofing constraint. One schema migration covers x-is-browser, x-ja3n, x-ja4h, and any future CDN headers. However, adding a new table to WMF wikis is likely a problem for #DBAs and the format of the table is likely to be the same as cu_useragent_clienthints within reason.
    • However, maybe this could be possible in the x1 cluster?

Acceptance criteria

  • The raw x-is-browser, x-ja3n and x-ja4h header value is stored when CheckUser records actions

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
ClientHints: Don't collect header only on null editmediawiki/extensions/CheckUsermaster+35 -2
ClientHints: Don't collect header only on null editmediawiki/extensions/CheckUserwmf/1.46.0-wmf.23+35 -2
Collect x-is-browser, ja3n, and ja4h as Client Hintsmediawiki/extensions/CheckUsermaster+622 -134
UserAgentClientHintsManager: Don't get DB connections in constructormediawiki/extensions/CheckUsermaster+149 -166
Fix UserAgentClientHintsHandler::insertClientHintValues fatal paramsmediawiki/extensions/CheckUsermaster+9 -20
Customize query in gerrit

Related Objects

Event Timeline

kostajh created this task.Mar 4 2026, 10:40 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 4 2026, 10:40 AM
kostajh added a project: CheckUser.Mar 4 2026, 10:41 AM
Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptMar 4 2026, 10:41 AM
kostajh updated the task description. (Show Details)Mar 4 2026, 10:47 AM
Dreamy_Jazz updated the task description. (Show Details)Mar 4 2026, 11:07 AM
XXBlackburnXx subscribed.Mar 4 2026, 1:02 PM
kostajh renamed this task from CheckUser: Display x-is-browser CDN header value in result rows to CheckUser: Store x-is-browser, x-ja3n and x-ja4h CDN header values.Mar 4 2026, 4:31 PM
kostajh updated the task description. (Show Details)
kostajh added a project: DBA.
Ladsgroup subscribed.Mar 4 2026, 7:39 PM

No concerns on db side of things. I'd only suggest that if you're not planning to search for ja3n or any of the three, then put them in a "cuc_extra_data" json blob column to reduce the maintenance overhead. But if you want to allow CUs to look for specific ja3n or ja4h, then each need a dedicated column.

Ladsgroup edited projects, added: Data-Persistence (work done); removed: DBA.Mar 16 2026, 2:16 PM
Dreamy_Jazz edited projects, added: Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))); removed: Product Safety and Integrity.Mar 24 2026, 1:00 PM
OKryva-WMF moved this task from Backlog to Ready on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.Mar 25 2026, 12:59 PM
Dreamy_Jazz claimed this task.Mar 30 2026, 3:15 PM
gerritbot added a comment.Mar 31 2026, 11:43 AM

Change #1265400 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] [WIP] Collect X-Is-Browser, ja3n, and ja4h as Client Hints

https://gerrit.wikimedia.org/r/1265400

gerritbot added a project: Patch-For-Review.Mar 31 2026, 11:43 AM
Dreamy_Jazz moved this task from Ready to In progress on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.Mar 31 2026, 11:49 AM
gerritbot added a comment.Mar 31 2026, 9:27 PM

Change #1265579 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] UserAgentClientHintsManager: Don't get DB connections in constructor

https://gerrit.wikimedia.org/r/1265579

gerritbot added a comment.Mar 31 2026, 10:12 PM

Change #1265597 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] Fix UserAgentClientHintsHandler::insertClientHintValues fatal params

https://gerrit.wikimedia.org/r/1265597

Dreamy_Jazz moved this task from In progress to Needs review on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.Mar 31 2026, 10:37 PM

(Some patches are ready to review now)

gerritbot added a comment.Apr 1 2026, 8:09 PM

Change #1265597 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Fix UserAgentClientHintsHandler::insertClientHintValues fatal params

https://gerrit.wikimedia.org/r/1265597

gerritbot added a comment.Apr 1 2026, 8:16 PM

Change #1265579 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] UserAgentClientHintsManager: Don't get DB connections in constructor

https://gerrit.wikimedia.org/r/1265579

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.23; 2026-04-07).Apr 1 2026, 9:00 PM
A09 subscribed.Apr 2 2026, 11:27 AM
gerritbot added a comment.Apr 2 2026, 1:57 PM

Change #1265400 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Collect x-is-browser, ja3n, and ja4h as Client Hints

https://gerrit.wikimedia.org/r/1265400

kostajh moved this task from Needs review to Needs QA on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.Apr 2 2026, 2:03 PM
Maintenance_bot removed a project: Patch-For-Review.Apr 2 2026, 2:31 PM
Dreamy_Jazz moved this task from Needs QA to Needs review on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.Apr 7 2026, 5:33 PM
gerritbot added a comment.Apr 7 2026, 5:38 PM

Change #1268611 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] ClientHints: Don't collect header only on null edit

https://gerrit.wikimedia.org/r/1268611

gerritbot added a project: Patch-For-Review.Apr 7 2026, 5:38 PM
gerritbot added a comment.Apr 7 2026, 5:48 PM

Change #1268612 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@wmf/1.46.0-wmf.23] ClientHints: Don't collect header only on null edit

https://gerrit.wikimedia.org/r/1268612

gerritbot added a comment.Apr 7 2026, 6:00 PM

Change #1268611 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] ClientHints: Don't collect header only on null edit

https://gerrit.wikimedia.org/r/1268611

gerritbot added a comment.Apr 7 2026, 6:00 PM

Change #1268612 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@wmf/1.46.0-wmf.23] ClientHints: Don't collect header only on null edit

https://gerrit.wikimedia.org/r/1268612

Stashbot added a comment.Apr 7 2026, 6:01 PM

Mentioned in SAL (#wikimedia-operations) [2026-04-07T18:01:26Z] <dreamyjazz@deploy1003> Started scap sync-world: Backport for [[gerrit:1268612|ClientHints: Don't collect header only on null edit (T418989)]]

Stashbot added a comment.Apr 7 2026, 6:05 PM

Mentioned in SAL (#wikimedia-operations) [2026-04-07T18:05:00Z] <dreamyjazz@deploy1003> dreamyjazz: Backport for [[gerrit:1268612|ClientHints: Don't collect header only on null edit (T418989)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Stashbot added a comment.Apr 7 2026, 6:13 PM

Mentioned in SAL (#wikimedia-operations) [2026-04-07T18:13:41Z] <dreamyjazz@deploy1003> Finished scap sync-world: Backport for [[gerrit:1268612|ClientHints: Don't collect header only on null edit (T418989)]] (duration: 12m 14s)

Dreamy_Jazz moved this task from Needs review to Needs QA on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.Apr 7 2026, 6:14 PM
Maintenance_bot removed a project: Patch-For-Review.Apr 7 2026, 6:31 PM
ReleaseTaggerBot edited projects, added: MW-1.46-notes (1.46.0-wmf.24; 2026-04-14); removed: MW-1.46-notes (1.46.0-wmf.23; 2026-04-07).Apr 7 2026, 7:00 PM
Dreamy_Jazz closed this task as Resolved.Apr 9 2026, 8:17 PM
Dreamy_Jazz moved this task from Needs QA to Done on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.
Dreamy_Jazz updated the task description. (Show Details)
Soda subscribed.Apr 13 2026, 3:11 AM
mszwarc mentioned this in T427035: CheckUser: JA3N, JA4H and isBrowser are not stored for private events other than checkuser-private-event/*.Fri, May 22, 8:58 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits