How will bots using plugins and headless mode be managed with this?

[Kuldran]

Chrome has been used to mimic legitimate user traffic with the uses of plugins will this type of traffic be opted out when using automation tools and/or plugins to limit abuse on the proxy network? Or would a header be sent to inform the destination this particular request should be handled with care?

[DavidSchinazi]

This feature will require users to be logged in, and we will use blinded tokens to only allow access to such users (without making user identifiers visible to the proxy).

[Kuldran]

With due respect @DavidSchinazi, I don't think this project has been well thought out regarding abuse potential. I would expect a more concrete answer, Google Staff is expecting us to get on board with this I agree that privacy is something we all strive for. That said an answer to a serious question to the tune of "don't worry about it" or "we will fake it till we make it" is not something I expected some a dev of especially your experience.

The issue at hand revolves around people who have a skill set which allows them to make an income manipulating a browser in such a fashion distinguishing their action from a typical user and non-user is near impossible. Adding credential requirements means little to nothing to them. In most cases, it's 1 to 3 extra methods maybe. This is assuming that we are not talking about vectors where a malicious plugin abuses a person's browser, and/or steals tokens.

The threat of session stealing/ hijacking also becomes an issue saying "we expire tokens" does not change the fact bad actors can still have a window of abuse. Depending on the attack vector Chrome / Google's only recourse would be to term accounts.