A presentation at Halfstack in in London, UK by Niels Leenheer
ev ! ybody lies N iels Leenheer halfstack, november 18th 2016 @html5test
this talk is full of lies and deception w " ning:
this talk is about browser sniffing yes…
why?
browser sniffing is dirty
you should use f eature detection
De " Web Devel #! s: Br $ s ! Sniffing is Stupid http://www.webstandards.org/2002/12/20/dear-web-developers-browser-sniffing-is-stupid/
5 Reas % s Why Br $ s ! Sniffing Stinks https://www.sitepoint.com/why-browser-sniffing-stinks/
Br $ s ! Detecti % is Bad https://css-tricks.com/browser-detection-is-bad/
feature detection responsive design progressive enhancement best-practices
anti-pa &! n browser sniffing
browser sniffing is just a tool
everybody uses browser sniffing
is browser sniffing actually? what…
the http specification defines the user-agent header it contains a string with information about the browser
every request the browser makes to the server includes the user-agent header
GET http://whichbrowser.net/ HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-us User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: whichbrowser.net
GET http://whichbrowser.net/ HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-us User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: whichbrowser.net HTTP/1.1 200 OK Date: Mon, 08 Feb 2016 10:40:28 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 Last-Modified: Thu, 15 Jan 2015 10:10:40 GMT ETag: "984-50cae11796432" Accept-Ranges: bytes Content-Length: 2436 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <!doctype html>
<html> <head>you can access the exact same string using javascript
you can use the user-agent string to identify: the browser the rendering engine the operating system the device model and more
is browser sniffing good for? what…
knowledge
if you know the platform or browser, you can streamline the user experience
if you know your users, you can build a better site for them
if you know which browser is being used, you can work around bugs
if you know which browser is causing errors, you can fix them
privacy implications
changing your user agent string actually makes it easier to track you
anonymity by looking like everybody else
is browser sniffing so difficult? why…
things started out simple
Mosaic/0.9 Mosaic
Mozilla/1.0 (Win3.1 ) Netscape Navigator code name of the browser
but it quickly started to get complicated
Mozilla/1.0 (compatible; MSIE 1.0; Windows 95) Internet Explorer compatible with Netscape Navigator 1.0
Opera/8.54 (Windows 95 ; U; en) Opera
Opera/10.00 (Windows NT 5.1; U; en) Presto/2.2.0 Opera
Opera/9.8 (Windows NT 5.1; U; en)
Presto/2.2.0 Version/10.00 Opera real version of the browser
Mozilla/5.0 (Windows; U; Windows NT 6.0; en; rv:1.9.1) Gecko/20090624 Firefox/3.5 Firefox build date of the rendering engine
Mozilla/5.0 ( Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0 Firefox build date is no longer updated
Mozilla/5.0 ( Windows NT 6.0; rv:16.0) Gecko/16.0 Firefox/16.0 Firefox
and it gets worse…
Mozilla/5.0 ( Macintosh; U; PPC Mac OS X 10_4_11; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.3 Safari/525.28.3 Safari
Mozilla/5.0 ( Windows; U; Windows NT 6.0; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/525.28.3 Chrome
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.180 Opera
Mozilla/5.0 ( Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko Internet Explorer
Mozilla/5.0 ( Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/525.28.3 Edge/12.10162 Edge
and those were all relatively normal user-agent strings
sometimes browsers simply do not make sense at all
Mozilla/5.0 (Linux; Android 4.3; en; SAMSUNG GT-I9505 Build/JSS15J) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Mobile Safari/537.36 Samsung Internet
Mozilla/5.0 (Series40; NOKIALumia800; Profile/MIDP-2.1 Configuration/CLDC-1.1) Gecko/20100401 S40OviBrowser/1.8.0.50.5 Nokia Xpress for Windows Phone
sometimes browsers lie to hide their true identity
Opera/9.80 (X11; Linux zbov; U; en) Presto/2.9.201 Version/11.50 Opera
Opera/9.80 (X11; Linux zbov; U; en)
Presto/2.9.201 Version/11.50
Opera Mobile
(desktop mode)
ROT 13 encrypted
“mobi“
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0 ) Internet Explorer
Mozilla/5.0 (compatible; MSIE 8.0;
Windows NT 6.1; Trident/5.0)
Internet Explorer
(compatibility view
)
Trident 5 means it’s
Internet Explorer 9
sometimes browsers are just weird
Mozilla/5.0 (VCC; 1.0; like Gecko) NetFront/4.2
Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en] #1 #2
BORK BORK BORK
and it is possible to change the user-agent string yourself
<img src="http://bravo.trollab.org/mylittlepony.png" alt="My Little Pony"> XSS attacks
XSS attacks
( ╯ ° □ ° ) ╯ ︵
┻━┻ Mozilla/10.0 (compatible; MSIE 10.0; CP/M; 8-bit)
You’re site is ! funny people
angry people
FuckZilla/666.0 (Gavnoid; Debile; rv:123.0)
FuckYou/123.0 FuckingFox/321.0
Opera/9.80 (Windows NT 6.1; U; FuckYou; xx)
Presto/2.10.229 Version/11.62
Seriously, Go fuck yourself
W3C standards are important.
Stop fucking obsessing over user-agent already.
angry people
1.000.000 unique useragent strings 82 x fuck 10 x shit 6 x ass 9 x dick 3 x vagina 108 x sex 4 x balls
user-agent strings cannot be trusted!
ev ! ybody lies
use browser sniffing for controlling access to your website y ! sh ! ld nev "
y ! sh ! ld nev " use browser sniffing for determining browser capabilities
y ! sh ! ld nev " build your own browser sniffing library
use a browser sniffing library that is regularly updated #1
check if it is possible
to automatically schedule updates
#2
“If you tell a big enough lie and tell it frequently enough, it will be believed” — Ghandi
“If you tell a big enough lie and tell it frequently enough, it will be believed” — Ghandi
— Adolf Hitler “If you tell a big enough lie and tell it frequently enough, it will be believed”
thank you!
thank you!
This is talk about browser sniffing. And yes, I do realise it is 2016. I know browser sniffing is ugly and we should all be using feature detection. But a quick search on Github still shows millions of lines of code referring to user agents strings. So this message clearly hasn’t landed yet. But why is browser sniffing a bad choice? This talk will dive into history and show the origin of the user agent string and the hidden battle between browser makers and web developers. It will show its simple beginnings and the horrible monstrosity it has become.