UA spoofers have feelings too!There's been a lot of noise recently in the web dev world regarding UA sniffing vs. feature detection. It all started when Alex Russell wrote out a post suggesting that there are cases where feature detection UA sniffing can be used, and where feature detection wastes precious time asking questions we already know the answer to. As he predicted, that stirred up a lot of controversy. Nicolas Zakas backed him up (more or less), Faruk Ates gave a history lecture, and the entire comment thread on Alex's post is very entertaining.
I agree with many of the points Alex makes, and detecting the UA on the server side has a *huge* advantage: We can avoid sending useless JS and image data to browsers/devices that will never use them. But, a couple of issues make good counter-arguments:
- Writing *correct* UA sniffing code is hard
- UA spoofers are left in the dark here. We would serve them content according to what they're pretending to be, rather then content according to their actual browser
The first problem can be solved by a reference project that does the actual detection for major server side languages. The second problem is more complicated. UA spoofing is a practice that came to be in order to circumvent badly written UA sniffing & UA based blocking. While unfortunate, this technique is necessary for minority browser users, as well as in other cases. I for one have to use it when I'm using my phone for 3G tethering. My operator's network only allows phone UAs to go through the phone APN, so I fake it. And when I'm getting mobile sites on my desktop browser, that is... well, let's say it's unfortunate.
What we have so far is:
- Feature detection *all the time* slows down things
- UA sniffing kills UA spoofing
So, there must be a third way.
What if we could count on UA sniffing for major browsers UNLESS we detect spoofing is in place?
I thought thoroughly regarding a generic solution here, but failed miserably. We can't trust UA strings (neither sent over the wire nor window properties). We can't trust other window properties (such as vendor) as 100% accurate since they as well may be spoofed.
So, do we raise a big white flag? Give up on the idea that a reliable method can be used to detect browsers and avoid feature detection for every single feature we want to use?
We can cover the most common use cases for UA spoofing and avoid messing them up. These cases are:
- Browsers that pretend to be IE so they won't be blocked by backwards sites
- Browsers that pretend to be mobile devices so they won't be blocked by DPI on their network
With these use cases in mind we can do the following:
- Detect UAs on the server side
- If spoofing is suspected, add appropriate code snippet to the page's top
- If UA unknown or spoofing detected, feature detect
- Otherwise (UA is known), send JSON with known features
So, thoughts? Ideas? Irrational emotional responses?
Bring it on...:)
getify — Mon, 07 Mar 2011 22:12:36 GMT
I know quite a few users who spoof their UA in Opera because a LOT of sites ignore/block Opera. Also, there's the soft UA spoofing that ChromeFrame does, which might technically be ok except that not all things that happen in the browser are controlled by the rendering/js engines, that chromeframe replaces (for instance, security policy peculiarities, etc).
Faruk Ateş — Tue, 08 Mar 2011 00:12:53 GMT
John Dalton already quite thoroughly debunked the baseless claims Alex made about feature detection being such a costly effort: http://allyoucanleet.com/20...
Given the inherent lack of reliability with UA sniffing and the fact that feature testing *is* a negligible cost in almost every circumstance, I don’t see much debate remaining. :)
Also, the problem with UA sniffing I hadn’t mentioned yet is that it prevents any new browser from coming onto the scene and doing things The Right Way™, e.g. having no other-browser-cruft in its UA string just for compatibility’s sake.
Nicholas C. Zakas — Tue, 08 Mar 2011 00:13:35 GMT
If we meet in person and you say your name is John, I will assume that that is correct. If it's not, then I assume you had a good reason for making me think your name was John and will continue to address you as such until you tell me not to. I feel the same way about user-agent strings.
Yes, good user-agent detection is hard, but I refuse to jump through hoops to determine if a UA string is being spoofed or not. If you say you're IE6, then I assume you're telling me that you can handle the same content that IE6 can handle (if not, then shame on you, not on me). If the UA string looks *exactly* the same as IE6 without any additional information to discern that you're not, then you've voided your warranty and I treat you as you tell me to.