Chrome impersonation fails because of insufficient ALPS implementation

[vladfrangu]

As talked on Slack, reporting here for tracking purposes

Test file:

import { Browser, Impit } from 'impit';

const impit = new Impit({ browser: Browser.Chrome });

const buff = await impit.fetch('https://www.google.com/');

console.log(buff.status);
console.log(buff.headers);
console.log(await buff.text());

Error:

❯ node --experimental-strip-types impit.ts                                      
node:internal/modules/run_main:122
    triggerUncaughtException(
    ^

[Error: RequestError(
    reqwest::Error {
        kind: Request,
        url: "https://www.google.com/",
        source: hyper_util::client::legacy::Error(
            SendRequest,
            hyper::Error(
                Io,
                Custom {
                    kind: InvalidData,
                    error: "received fatal alert: UnexpectedMessage",
                },
            ),
        ),
    },
)] {
  code: 'GenericFailure'
}

Node.js v22.13.0

[barjin]

Upon deeper inspection, this seems more like a Client Hints via ALPS (Application layer protocol settings) issue.

See that the Unexpected Message (0x02 0x0a) TLS Alert comes right after the Client sends the HTTP/2 headers.

In the ALPN/ALPS extension message, the server picks HTTP/2 and sends an ALPS message containing what seems like HTTP header names:

Unfortunately, making impit send those headers doesn't solve this issue.

Removing the ALPS extension from the ClientHello sent by Impit does make the requests work.
For now, we could mitigate this issue like this, but this makes Impit more detectable (as it directly modifies - among others - its JA4 fingerprint).