Closed Bug 136141 Opened 22 years ago Closed 22 years ago

Disallow masquerading with MSIE user-agent string

Categories

(Core :: Networking: HTTP, defect)

defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: BenB, Assigned: BenB)

Details

Current status
In bug 45565, I implemented the (hidden) pref general.useragent.override to set
the complete UA string of Mozilla. See
<http://bugzilla.mozilla.org/show_bug.cgi?id=45565#c10> for the reasons. It was
intended to mask as e.g. Navigator 4.x Mac or as "You'll never know" (courtesy
of mat).

Now, I have to notice that most users abuse the pref to mask as MSIE.


Reason to change 1
Because webmasters code for the popular browsers, this causes more MSIE-only
sites, the thing we are trying to fight with Mozilla. It is true that you might
still be able to see that it's really a Mozilla, but webmasters stupid enough to
code MSIE-only sites are very likely to be stupid enough to just count that as
MSIE. They are also likely to believe statistics from e.g. StatMarket, which
seems to have an interest in publishing MSIE-biased numbers, judging from their
results. So, even if you use a UA string like "Mozilla/4.0 (compatible; MSIE)
Gecko/20020401", you are giving Microsoft armor to claim high stats for MSIE.

In other words, a user with a Mozilla masking as MSIE is almost as good for us
as an MSIE user.

We are here for a reason. While some user might just want to browse, we want to
propagate standards. The user has a right to control his software, but we have
some right to try to achieve our goals, too. The user still has the source.. *g*


Reason to change 2
Mozilla holds standards relatively high. We intentionally have no document.all,
although that would probably be easy to implement and would dramatically
increase compatibility. We chose long-term goals (standards-compliant web) over
short-term goals (visit that crap site). I think we should do the same here.


Proposed change
In the C++ backend, in the pref processing code, search for MSIE-identifying
strings like "MSIE". If the pref contains that, ignore the pref, i.e. use the
standard Mozilla UA string.


Impact
That would prevent users from masking Mozilla as MSIE, but would still allow to
mask as alternative browsers or write random nonsense in the string.
Execution-time impact on non-users of the hidden pref is 0.


Additional Comments
It can be argued that masking as Navigator 4.x is not helpful for a
standards-compliant web either. We might want to prevent that, too. The user
still has e.g. Opera left to mask as different, relatively popular,
standards-compliant and full-featured browser for security reasons.

I fully expect this change to be controversial.
And discussion to the .netlib newsgroup, please.
When you say:
"most users abuse the pref to mask as MSIE"

I think what you mean is:
"most users abuse the pref to _masquerade_ as MSIE"

http://m-w.com/cgi-bin/dictionary?masquerade
2 : to assume the appearance of something one is not
Summary: Disallow masking with MSIE user-agent string → Disallow masquerading with MSIE user-agent string
Shill pointed this bug out to me because fixing this "bug" would invalidate the
workaround for bug 145177. Although the workaround might work even if the
useragent string would be Netscape, this might not be the case next time. 

<rant>I belive that hardcoding something that can be a preference is a step back
for Mozilla. If people manage to 1) create a user.js 2) find the appropriate
pref key 3) knowing the value they want to set, I think they should be able to
do so. Isn't mozilla all about choice ;-) </rant>
> Shill pointed this bug out to me because fixing this "bug" would invalidate the
> workaround for bug 145177.

Well, that was part of the idea, yes. Most people don't care about bugs, if
*they* have a workaround, but users won't. The whole idea of dogfood is to
suffer from the same bugs as users, so that you care for them to be fixed.

Anyways, I'll mark this wontfix for now, from the feedback on .netlib.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.