User A sends 2-3 HTTP headers, the bare minimum, e.g., Host, Connection, maybe User-Agent or Cookie in some instances if required. User A has disabled Javascript unless she needs it.
There is actually no technical reason that an HTTP request needs to be any more than
GET / HTTP/1.0
It's nice for the server to know your user agent, what fonts you have installed, your OS, and whatever else, but it is not necessary and so the majority of the problem of fingerprinting browsers is one created by the browser developers themselves. The original concept of the web was that the client controlled the rendering, the server shouldn't care about what specific fonts you have or the size of your screen.
There is no reason that the Firefox or Safari developers couldn't decide in the next version to send only bare minimal request headers.
Is it actually possible to request most sites that way, without a host header? Maybe if it's tls and you already used sni, but I think most sites use a cdn that uses some form of virtual hosting to share ip addresses.
Consider the basic httpd feature of providing an automatically generated index to a directory. It is possible to locate content, including names of virtual hosts, with only an IP address.
That is perhaps the least convincing test case you could have chosen to support your argument. (You basically proved you could fetch a content-less page, in part because that was the easiest proof case you could write, but because it didn’t demonstrate anything that an HN reader would come here for, it doesn’t resonate convincingly.)
All that additional crud has probably contributed to the "relative ease" of conducting tracking as well as the "richness" of the data one can gather from tracking. Why should we ignore this simple fact.
The people behind these browers, especially Mozilla, keep assuring the public they are working to protect user privacy. This may be true to some extent but what they are not telling the public is how they are working to ensure the online advertsing industry continues to thrive, i.e., how they are working to ensure they do not upset the status quo. The words do not match the actions.
I would not rely on the browser developers to address this problem. To experiment with how well minimalism works on today's web, one can use alternative HTTP clients that allow control over headers and/or one can use a forward proxy one can remove/modify headers generated by the browser.
There is actually no technical reason that an HTTP request needs to be any more than
It's nice for the server to know your user agent, what fonts you have installed, your OS, and whatever else, but it is not necessary and so the majority of the problem of fingerprinting browsers is one created by the browser developers themselves. The original concept of the web was that the client controlled the rendering, the server shouldn't care about what specific fonts you have or the size of your screen.There is no reason that the Firefox or Safari developers couldn't decide in the next version to send only bare minimal request headers.