I agree with many of the points Alex makes, and detecting the UA on the server side has a *huge* advantage: We can avoid sending useless JS and image data to browsers/devices that will never use them. But, a couple of issues make good counter-arguments:
- Writing *correct* UA sniffing code is hard
- UA spoofers are left in the dark here. We would serve them content according to what they're pretending to be, rather then content according to their actual browser
The first problem can be solved by a reference project that does the actual detection for major server side languages. The second problem is more complicated. UA spoofing is a practice that came to be in order to circumvent badly written UA sniffing & UA based blocking. While unfortunate, this technique is necessary for minority browser users, as well as in other cases. I for one have to use it when I'm using my phone for 3G tethering. My operator's network only allows phone UAs to go through the phone APN, so I fake it. And when I'm getting mobile sites on my desktop browser, that is... well, let's say it's unfortunate.
What we have so far is:
- Feature detection *all the time* slows down things
- UA sniffing kills UA spoofing
So, there must be a third way.
What if we could count on UA sniffing for major browsers UNLESS we detect spoofing is in place?
I thought thoroughly regarding a generic solution here, but failed miserably. We can't trust UA strings (neither sent over the wire nor window properties). We can't trust other window properties (such as vendor) as 100% accurate since they as well may be spoofed.
So, do we raise a big white flag? Give up on the idea that a reliable method can be used to detect browsers and avoid feature detection for every single feature we want to use?
We can cover the most common use cases for UA spoofing and avoid messing them up. These cases are:
- Browsers that pretend to be IE so they won't be blocked by backwards sites
- Browsers that pretend to be mobile devices so they won't be blocked by DPI on their network
If anyone ever reads this and finds other use cases for UA spoofing, please leave a comment.
With these use cases in mind we can do the following:
- Detect UAs on the server side
- If spoofing is suspected, add appropriate code snippet to the page's top
- If UA unknown or spoofing detected, feature detect
- Otherwise (UA is known), send JSON with known features
So, thoughts? Ideas? Irrational emotional responses?
Bring it on...:)