<< Better quality for everyone | The roads I take... | Integration eines Magento-2-Webshops mit FreeFinance und selbstgebautem Warenmanagement >>

The fight for the suckiest UA string

Sure, User Agent strings suck. Well, actually, they are useful - at least for statistics.

This way, browser usage on different websites can be monitored and interesting stats can be generated, just like I did some time ago here.

And there are good specs that describe how a user agent should look (defined in HTTP 1.0 and HTTP 1.1 RFCs) - but even those already state "Note: Some existing clients fail to restrict themselves to the product token syntax within the User-Agent field."
Yay - the spec already notes that clients don't comply with the spec. Nice.

But it's even worse: The spec notes for what purpose this HTTP header should be sent: "This is for statistical purposes, the tracing of protocol violations, and automated recognition of user agents for the sake of tailoring responses to avoid particular user agent limitations."

Over the years, many web site designers extended the "avoid particular user agent limitations" to "block any unknown client from accessing content" though - and with this, all the problems started.

Websites started to sniff for "Mozilla/" at the start of the UA string (which Netscape had) and gave only those clients access to their (most of the time) non-standards-compliant content that it somehow displayed, and they did this hard enough that Microsoft could not release their browser without the "Mozilla/" at the start of the string, unless they wanted to be blocked from content. And clearly they didn't. Following that, almost any decent browser had to use Netscape-style "Mozilla/" user agent strings, even if they weren't the mythical "Mosaic killer" that this internal code name stood for.

When the Mozilla project wanted to note a Gecko version, and later the Firefox name and version, they were forced to hold on to the more and more useless "Mozilla/" prefix and some syntax surrounding it, and just add additional product tokens, ending up with a standards-compliant, but a bit lengthy convention for Mozilla user agents - which also SeaMonkey is using.

Instead of a handy "SeaMonkey/1.1.2 (Windows NT 5.1; de-AT) Gecko/" (which would tell all statistics-relevant data and have a common "Gecko" name and version to detect to "avoid particular user agent limitations" common to all Gecko products), we end up with "Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv: Gecko/20070617 SeaMonkey/1.1.2" because of that legacy.

When those website that use user agent sniffing would do it correctly, they would send W3C-compliant content to every unknown browser and only do small tweaks for those which don't comply correctly (along with explicit checks for only those versions that are known not to comply, still sending the W3C-compliant version for future releases that might fix this) - and we would never have ended up even at this stage.

But that's not even where the story ends, actually, it gets much worse:

When Gecko gained market share, browsers like Konqueror and Safari began adding "(like Gecko)" to their UA string to fool websites testing for "Gecko" in the UA string into letting them in when they would close out anything beyond MSIE and Gecko. And then, we arrived at the stage where Firefox gained a whole lot of market share and those crappy web designers decided to let "Firefox" into their websites, apparently not knowing that Gecko is Gecko and Firefox is "just" Gecko plus a nice UI (which is cool enough, actually). Because of that, there is a number of websites that don't work in non-Firefox Gecko browsers even if they could - that includes SeaMonkey, the Firefox development builds labeled e.g. "Minefield", and also Camino.

Instead of helping us all and the whole web with increasing the market share of non-Firefox Gecko browsers and making web designers aware of the problem and the easy solution (yes, the by far hardest part), the Camino team is now trying to win the prize for the suckiest UA string of them all by adding a "like Firefox" string to their UA. WTF?

If we're continuing on this path, every useful browser will have to add this, and probably a few other strings, in the future. I don't intend to support this or any project which decides to go down that road.

It would have been nice if one day I could have used
SeaMonkey/4.3 (Linux x86_64; de) Gecko/3.2
or something like that.

The new proposal sounds like I may end up with one in this style though:
Mozilla/5.0 (X11 [like Windows]; U; Linux x86_64 [like Intel Mac OS X]; de [like en-US]; rv:3.2) Gecko/20100704 (like KHTML) SeaMonkey/4.3 (like Firefox) (like Safari) (like Opera) (like Netscape) (like MSIE) (like Mosaic)

Thanks to the Camino team! :(

Entry written by KaiRo and posted on June 23rd, 2007 03:23 | Tags: Mozilla, UA String | 9 comments


  • [Postingstatistik] Juli 2007 - Seite 3 | hilpers (Pingback)
  • Comments



    from Frankfurt

    If they do this mostly for some high-profile sites, why don't they include an updatable list of sites (like the phishing list) to which it should serve that UA?
    2007-06-23 11:18


    Too bad it's not defined strictly (are the parenthesesed values not defined anywhere?), else I'd say f*** those sites, and change the UA to a good one everywhere. :/
    2007-06-23 11:52

    Kroc Camen

    from UK

    Why not follow Opera's lead?
    Opera decided to clean up their act with Opera 9 and use a very straightforward user string:

    Opera/9.21 (Macintosh; Intel Mac OS X; U; en)

    Firefox has many times the marketshare of Opera and should opt to ditch the legacy parts of the UA. Any fallout could be handled by a temporary internal whitelist of important domains to use a legacy string with, which can be followed up by the Mozilla evangelist team helping those important sites to fix their code.
    2007-06-23 12:09


    from The US

    I think you guys should sanitize the string and just use SeaMonkey as the user agent (and optionally include Gecko in it), a la Opera. As a SeaMonkey user, I'm blocked out of sites that require Internet Explorer or Firefox. The problem is that I'm on Linux and Firefox annoys me (so I just go away; I've never actually encountered a site I wanted to get in so bad that I'd use another browser to get in). But I disagree with UA detection on principle. I think, in most cases, detecting UAs rather than features is a sign of poor implementation and of short-sightedness.
    2007-06-24 05:51


    from Moscow, Russia

    there is a point in that, but the string is currently used to identify the build when commenting in Bugzilla, and it is detected and filled in automatically in some places like that. So the language and platform probably have to stay.
    2007-06-24 10:37


    from Germany

    GMX and Web.de (Webmail) both belonging to united internet checking for Firefox and advertising for the new version, not detecting my Seamonkey.

    Even worse, GMX ist running it's Beta testing for GMX 2007 which is only offered if Firefox is in the UA string. Sometime in the future it will be default - leaving all others behind. Of corse one of the biggest Webmailer in germany don't need a support email, on the support page you end up in the FAQ.

    Sanitizing should be a good thing, if Ff and other projects go along with it. Otherwise none will care. Build in an additional button for sending the suggested long UA string - of course with Kitchensink/1.0 :D
    2007-07-01 01:08

    Anonymous guest

    Quote of Kroc Camen:
    Opera decided to clean up their act with Opera 9 and use a very straightforward user string:

    Opera/9.21 (Macintosh; Intel Mac OS X; U; en)

    Any fallout could be handled by a temporary internal whitelist of important domains to use a legacy string with, which can be followed up by the Mozilla evangelist team helping those important sites to fix their code.

    No, let mozilla just straighten up there Ustring and let those damn website fix thair own mess, - if i find an important website that my browser doesn't work with, first thin i do is a w3c check on the site, IF it doesn't not compy, i got a nice mailer demon install, set to pust some 10 complaint mails to, abuse@domain.com && webmaster@domain.com && info@domain.com && sales@domain.com etc. and i think we should all engage into such practice, THAT is the only way to 'as webusers' enforce 'important public' websites to designe by the rules,

    i for one would always send a open letter to the media if i found out that mygovernment.<com> was un-readable by alternative browers (other than IE i mean)
    2007-07-18 13:28


    even more :)
    You've forgot to replace "U;" with "U [like I];" for those sites which prefer weak security :)
    2007-08-17 13:42

    Ian Thomas

    Seamonkey or Gecko?
    The rendering engine is usually the important piece of information, so how about:

    Gecko/XX (Windows; en-UK) Firefox/YY
    Gecko/XX (Windows; en-UK) Seamonkey/YY
    AppleWebKit/XX (Mac OS X; de) Safari/YY
    KHTML/XX (Linux; fr) Konqueror/YY

    You'd probably still want the closed source browsers to start with the browser name though, which is a bit inconsistent:
    MSIE/XX (Linux; en-UK)
    Opera/XX (Windows; en-UK)
    2008-01-02 00:12

    Add comment