Skip to content

[loop cycle 6] fix(calls/capability): complete the Chrome high-entropy client-hints set#14

Merged
karem505 merged 1 commit into
masterfrom
whatrust-loop/cycle-6-uadata-high-entropy
Jun 28, 2026
Merged

[loop cycle 6] fix(calls/capability): complete the Chrome high-entropy client-hints set#14
karem505 merged 1 commit into
masterfrom
whatrust-loop/cycle-6-uadata-high-entropy

Conversation

@karem505

Copy link
Copy Markdown
Owner

What

Hardens the Chrome capability/calling detection. The navigator.userAgentData shim's getHighEntropyValues() returned only a partial set and left platformVersion empty. A strict check (the kind WhatsApp uses to decide capability and calling eligibility) reads bitness, fullVersionList, and wow64 — their absence, plus an empty platformVersion, can read as "not a real Chrome UA-CH implementation."

This complements cycle 3 (window.chrome): together they present a consistent Chrome identity.

How

Return the full, internally-consistent set matching the spoofed Chrome 131 UA:

field value
architecture x86 (Chrome reports x86 for x86_64)
bitness 64
brands major versions (131)
fullVersionList full versions (131.0.0.0)
mobile / model false / ""
platform / platformVersion Linux / 6.0.0
uaFullVersion / wow64 131.0.0.0 / false

The hints argument is intentionally ignored (the shim is the implementation); returning unrequested keys is harmless. Top-level brands/mobile/platform are unchanged.

Verification

Gate 1 — cargo build --locked + cargo test: PASS (51 tests).

Gate 2 — real WebKitGTK engine harness (origin spoofed): PASS — getHighEntropyValues([...]) resolves with bitness:"64", wow64:false, fullVersionList length 3 (Chrome 131.0.0.0), platformVersion:"6.0.0", uaFullVersion:"131.0.0.0"; top-level shim still reports 3 brands, mobile false, platform Linux.

Gate 3 — generation-blind code review: APPROVE, severity none, no must-fix. Confirmed architecture:"x86" per WICG spec, the major-vs-full version split matches real Chrome, the new fields are correct for Linux x86_64, valid object literal (no duplicate keys, no NUL), and no regression (additions only make the identity more Chrome-like).


🤖 PR-ONLY — do not auto-merge. Releasing whatRust is manual via a v* tag; this loop never merges, bumps the version, or tags a release. Opened by the whatrust-fix-loop (cycle 6/6 — final).

…ints set

The navigator.userAgentData shim's getHighEntropyValues() returned only a partial set
(platform, platformVersion="", architecture, model, uaFullVersion). A strict Chrome
capability/calling-eligibility check reads bitness, fullVersionList and wow64, and an
empty platformVersion plus those missing keys can read as "not a real Chrome UA-CH
implementation".

Return the full, internally-consistent set matching the spoofed Chrome 131 UA:
architecture "x86", bitness "64", brands (major) + fullVersionList (full versions),
mobile false, model "", platform "Linux", platformVersion "6.0.0", uaFullVersion
"131.0.0.0", wow64 false. The hints argument is intentionally ignored (the shim is the
whole implementation); returning unrequested keys is harmless. Top-level
brands/mobile/platform are unchanged.

Verified in a real WebKitGTK engine (origin spoofed to web.whatsapp.com):
getHighEntropyValues resolves with bitness "64", wow64 false, fullVersionList length 3
(Chrome "131.0.0.0"), platformVersion "6.0.0"; the top-level shim still reports 3 brands,
mobile false, platform "Linux".

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016o9cWBaPy4zU4BAurUVoTp
@karem505 karem505 merged commit 3442983 into master Jun 28, 2026
6 checks passed
karem505 added a commit that referenced this pull request Jun 28, 2026
Bundles six loop-shipped fixes:
- perf(dnd): stream dropped files as base64 to cut peak memory on large videos (#9)
- fix(notifications): forward service-worker showNotification to the native toast (#10)
- feat(calls): expose a minimal window.chrome so WhatsApp enables call buttons (#11)
- fix(notifications): de-duplicate burst-repeated native toasts (#12)
- fix(dnd): route AVIF/HEIF photos as photos; broaden MIME labels (#13)
- fix(calls/capability): return a complete Chrome high-entropy client-hints set (#14)
Plus integration: SW notifications share the dedup window; base64_encode is test-only now.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016o9cWBaPy4zU4BAurUVoTp
@karem505 karem505 deleted the whatrust-loop/cycle-6-uadata-high-entropy branch June 28, 2026 01:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant