The X-USER-STAGING-ID header electron-builder sends is a privacy violation

[fortuna]

Whenever electron-builder fetches the update file, it sends a X-USER-STAGING-ID header that uniquely identifies the user. That is a privacy violation that affects any Electron app using electron-builder. See code at

electron-builder/packages/electron-updater/src/AppUpdater.ts

Line 406 in 66bef0f

client.setRequestHeaders(this.computeFinalHeaders({ "x-user-staging-id": stagingUserId }))

It looks like it was added back in 2017 to support some advanced version of staged rollouts.

Please disable the X-USER-STAGING-ID by default and don't enable it without explicit developer action. You don't need that for staged rollouts.

[mmaietta]

Can you elaborate on how that is a privacy violation?

Unfortunately, disabling it by default is a breaking change, so that doesn't feel like we can easily take that approach. The final headers still will allow overrides via this.requestHeaders being set, so if you were to provide x-user-staging-id: "", that seems like you'd resolve your privacy issue?

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity.