[prev in list] [next in list] [prev in thread] [next in thread]
List: kfm-devel
Subject: Re: UA string.
From: Vadim Plessky <vplessky () faringosept ! ru>
Date: 2003-02-23 10:08:32
[Download RAW message or body]
On Friday 21 February 2003 03:33, Darin Adler wrote:
| On Thursday, February 20, 2003, at 04:05 PM, Dirk Mueller wrote:
| > On Don, 20 Feb 2003, Darin Adler wrote:
| >> Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/60 (KHTML,
| >> like Gecko) Safari/60
| >
| > hmm, the second pair of brackets is not going to be a problem for some
| > websites?
|
| We've always had those two sets of parentheses.
|
| > I guess we should change our to
| >
| > Mozilla/5.0 (compatible; Konqueror/3.1; KHTML, like Gecko; Linux)
| >
| > But thats not really compatible to your format.
|
| Might be OK. We the key is that they can just look for the substring
| KHTML.
Sorry for late comments, but it seems there are several important points not
listed/not discussed so far.
IIRC, we were discussing Konqueror/KHTML userAgent string couple of years ago
(KDE 2.0/2.1 release time), and Harri Porten raised the question of
_security_, as part of UA identification.
Within last 2 years, this question became much more important than ever.
let me liste those questions again:
1) should UA identify platform/environemnt it is running on?
For example, shoukd Konqueror running on Linux identify itself as
Mozilla/5.0 (compatible; Konqueror/3.1; KHTML; Linux)
or even
Mozilla/5.0 (compatible; Konqueror/3.1; KHTML; Linux 2.4.18-6mdk)
or for Safari running on MacOS X
Mozilla/5.0 (compatible; Safari/1.0; KHTML; MacOS X 10.2)
+++
Supporters of such identification say that web designers need to know UA
platform/OS, in order to deliver "best possible" content and tune serve web
page in accordance with UA capabilities
---
Non-supporters of such UA identification (with platform) say that it
disclosures too much details about platform, and would simplify potential
hacker to break in into user's computer/OS, and steal potential private
information.
At a moment, Konqueror doesn't list OS/Platform by default, while you canturn
it on is UA Settings dialog.
The only situation when knowledge of OS is really *required*, is when you wnat
to install ActiveX elements on client's computer.
This is essentially the case of Windows 98/2000/XP system running MS IE.
There are several web page which *would not work* at all, unless you allow it
to install ActiveX element(s).
Good example of such page is http://windowsupdate.microsoft.com
Windows Update functionality is 100% ActiveX-based.
2) should UA list CPU type and type of Windowing Environment?
I am speaking of "PPC" part (and "Mac OS X") in this UA
Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us)
or "X11" and "i686" in this UA string
Mozilla/5.0 (compatible; Konqueror/3.1; Linux; X11; i686)
As "Windows" string is quite common in Windows-based user agents, I think that
listing non-Windows platform in UA string is a Good Idea.
I hardly believe it disclosures any kind of existing or potential
vulnerabilities, while it definitly increaes count of non-Windows clients.
|
| > Mozilla/5.0 (compatible; Konqueror/3.1; Linux) (KHTML, like Gecko)
|
| Seems as good as the above, not a lot better though. I guess they can
| look for "(KHTML," in this one, which might be better.
I am strongly againts using worj "Gecko" in UA string.
Konq/KHTML and Safari are not based on Gecko engine, while you may wnat to
fake as Gecko when:
a) you are not using Gecko
b) most of web designers arenot aware about Gecko existance, and what the
Gecko is, they concentrate design around MS IE
Important point for compatibility (on majority of web sites) is compatibility
with MS IE, and compatibility with those sites is achieved (in KHTML) via
document.all DHTML.
Like it or not, but most pages use following JS code to do branching of its
DHTML features:
var DOM=document.getElementById;
if ( document.all)
{ MS IE branch }
else if ( DOM )
{ Netscape6, Mozilla, Konqueror should go here }
else if (document.layers )
{ Netscape 4 branch }
else
{ branch for browsers not supporting DHTML; usually empty part inmost cases}
What happens in code above?
Konqueror (and Safari) would always get document.all branch.
Which would create potential DHTML problems, as innerHTML and outerHTML
methods, "designed" by Microsoft, are very tricky and not very well
documented.
The real fix (inside KHTML codebase), IMO, would be to disable document.all on
per site basis (with some database online listing sites where it should be
disabled).
Of course, we can try to contact webmasters and ask them to use DOM branch
first - but in 99.9% cases, those webmasters do not care about such
letters...
3) should UA tell web site that it supports plugins/specific MIMEtypes, and
therefor supports extended MIME types (comparing to platfroms' default)?
I am speaking about:
navigator.plugins
navigator.mimeTypes
objects, which are supported in KHTML (and partially - in Mozilla/Gecko).
It's also quite interesting that MS IE on Mac supports plugins, too (while MS
IE on WIndows ignores those objects)
Problems which exist in current KHTML implementation - that, say, JPG, GIF,
WAV, MP3, etc. are not listed as valid MIMEtypes if you execute "enumerate
mimetypes" script in browser.
But all MIMEtypes installed via plugin (Flash, RealAudio) are listed
correctly.
Shouldn't we fix it in both Konqueror and Safari *before* first major release
of Safari?
It would be nice if web masters would get one unified method to check
supported media at specific userAgent, without doing terrible 9and often not
working correctly) hacks.
|
| > Is there any spec on UserAgent string formatting?
|
| I wish there was. There are some documents at mozilla.org, but that's
| all I could find.
And IMO, those documents on Mozilla site are badly designed.
|
| > and expect "Gecko" after the closing brackets to detect it as Gecko.
|
| We did that on purpose, of course. Many pages don't give modern
| standards-compliant content unless they see the substring Gecko
| somewhere, but they don't care where.
Can you pls list those pages?
AFAIK, most web sites do not care wether it's Gecko or not.
They just ignore this word in UA string.
|
| > Mozilla/5.0 (compatible; U; Linux; en-us) KHTML/3.1 like Gecko
|
| That's more like us, but has the problem that "compatible" is going to
| make many simple-minded sites think you are IE; we found that led to
| bad results.
|
| > BTW, do you happen to know the meaning of the "U;" ? :-)
|
| I do not. I am preparing a document explaining our user agent string
| that might some day go up on developer.apple.com, and that's one of the
| unanswered questions in my current draft.
|
| -- Darin
Hope to hear you on those issues soon!
Greetings,
Vadim
P.S. I attach browser-detection script which works quite well on all existing
browsers, despite script was designed in 2000.
I hope you can check JS inside and get an idea how detection works.
Unfortunately, many web pages do somewhat broken UA detection.
(good examples: CNN, ESPN, etc.)
--
Best Regards,
Vadim Plessky
SVG Icons * BlueSphere Icons 0.3.0 released
http://svgicons.sourceforge.net
["Browser_TEST5.html" (text/html)]
<HTML>
<HEAD>
<TITLE>Browser Testing and Extra Information - ver.5</TITLE>
<!-- This test suite was prepared by <a href="mailto:plessky@cnt.ru">Vadim \
Plessky</a> in 2000,
to debug different bugs in Konqueror web browser, as well as bugs in weird \
JavaScript and HTML code on many web sites.
-->
</HEAD>
<SCRIPT LANGUAGE="JAVASCRIPT">
<!-- hide from non-JavaScript Browsers
document.write("JavaScript code started");
var MyStr="";
var IE4 =0, IE4up= 0;
var NN4 =0, NN4up= 0;
var isKonqueror =0, isOpera =0;
var doc_layers = (document.layers) ? true : false;
var doc_all = (document.all) ? true : false;
var doc_images = (document.images) ? true : false;
var DOM = (document.getElementById) ? true : false;
var nav_mimetypes = (navigator.mimeTypes) ? true : false;
var nav_plugins = (navigator.plugins) ? true : false;
manufacturer = navigator.appName;
version = navigator.appVersion;
major = parseInt(version);
userAgent = navigator.userAgent;
agent_lowcase = navigator.userAgent.toLowerCase();
OS_platform = navigator.platform;
hasJava=navigator.javaEnabled();
Netscape_in_UA = (agent_lowcase.indexOf("netscape") != -1);
MSIE_in_UA = (agent_lowcase.indexOf("msie") != -1);
isKonqueror = (agent_lowcase.indexOf("konqueror") != -1);
isOpera = (agent_lowcase.indexOf("opera") != -1);
isNS6 = (agent_lowcase.indexOf("netscape6") != -1);
GeckoEngine = (agent_lowcase.indexOf("gecko") != -1 );
if (manufacturer.indexOf('Netscape')>=0 && version.indexOf('4.0')>=0)
NN4 = 1;
if (manufacturer.indexOf('Microsoft')>=0 && version.indexOf('4.0')>=0)
IE4 = 1;
if (manufacturer.indexOf('Netscape')>=0 && major >=4 )
NN4up = 1;
if (manufacturer.indexOf('Microsoft')>=0 && major >=4 )
IE4up = 1;
if ( GeckoEngine )
document.write( "<P><B>Suggestion:</b> you are using browser based on <B>Mozilla \
Gecko</b> engine</P>");
if ( NN4up )
document.write( "<P><B>Your browser is compatible with Netscape Navigator 4.x and \
higher</b></P>"); if ( IE4up )
document.write( "<P><B>Your browser is compatible with Microsoft Internet Explorer \
4.x and higher</b></P>");
document.write( "<HR><P>Manufacturer (appName): "+manufacturer+"</P>");
document.write( "<P>Browser version: "+version+"</P>");
document.write( "<P>appCode: "+navigator.appCodeName+"</P>");
document.write( "<P>userAgent: "+navigator.userAgent+"</P>");
document.write( "<P>Operating System Platform: "+OS_platform+"</P>");
document.write( "<P>Is your browser Konqueror: "+isKonqueror);
document.write( "<P>Is your browser Opera: "+isOpera);
document.write( "<P>Is your browser Netscape6: "+isNS6);
document.write( "<P>Is Netscape word present in UserAgent: "+Netscape_in_UA);
document.write( "<P>Is MSIE word present in UserAgent: "+MSIE_in_UA);
document.write( "<P>Is Gecko word present in UserAgent: "+GeckoEngine);
document.write( "<P>screen.Width: "+screen.width+"</P>");
document.write( "<P>screen.Height: "+screen.height+"</P>");
document.write( "<P>screen.pixelDepth: "+screen.pixelDepth+"</P>");
document.write( "<P>screen.colorDepth: "+screen.colorDepth+"</P>");
document.write( "<P>if Java enabled: "+hasJava+"</P>");
document.write( "<P>Document.images: "+doc_images+"</P>");
document.write( "<P>Document.layers: "+doc_layers+"</P>");
document.write( "<P>Document.all: "+doc_all+"</P>");
document.write( "<P>DOM support (Document.getElementById): "+DOM+"</P>");
document.write( "<P>Plugins supported: (navigator.plugins) "+nav_plugins );
document.write( "<P>MIME Types supported: (navigator.mimeTypes) "+nav_mimetypes );
document.write("<HR>JavaScript code finished");
// stop hiding -->
</SCRIPT>
<NOSCRIPT>
<P>Your browser doesn't support scripting.<P>
<P>If you are running Konqueror web browser on KDE2, please check
menu Settings - Configure - Browser dialog, select Java/Javascript tab,
and Enable JavaScript globaly</P>
</NOSCRIPT>
<BODY BGCOLOR="#FFC0A0">
<font size=+2 color="blue" face="sans-serif">
<p>This test should be displayed in any case - even if you don't have JavaScript in \
your browser</p> </font>
<H2>This test suite was prepared by <a href="mailto:plessky@cnt.ru">Vadim Plessky</a> \
in 2000</H2> <P>Objective: to debug different bugs in Konqueror web browser, as well \
as bugs in weird JavaScript and HTML code on many web sites.</P> </BODY>
</HTML>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic