Closed Bug 451834 Opened 16 years ago Closed 14 years ago

If general.useragent.extra.<extra_name> with smaller <extra_name> than "firefox" is added by other software, Firefox version part in User Agent string is hijacked

Categories

(Core :: General, enhancement)

Product:
Core
Component:
General
Platform:
x86
Windows XP
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: World, Unassigned)

References

Details

If general.useragent.extra.<extra_name> with smaller <extra_name> than "firefox" is added by other software, Firefox version part in User Agent string is hijacked.
Some sites already check with "rv:1.9.1a2pre" part or "Gecko/20080814041610" part, but many sites still reply on "Firefox/3.0.1" part("Minefield/3.1a2pre" when Fx trunk).
I think action to protect from hijack is needed before MS starts to use "Amicrosoftdotnet" as entry name.  
 - Treat general.useragent.extra.firefox separately
 - Use of different entry name(e.g. general.useragent.extra._firefox)
   with documentation of "_xxxxxx" is reserved for Mozilla family's Firefox use

[Test result]
> Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1a2pre) Gecko/20080814041610 abc-001 bcd-002 cde-003 def-004 efg-005 Minefield/3.1a2pre (.NET CLR 3.5.30729)

Above user agent string is generated by next.
> general.useragent.extra.abc001  = abc-001 <= added for test
> general.useragent.extra.bcd002  = bcd-002 <= added for test
> general.useragent.extra.cde003  = cde-003 <= added for test
> general.useragent.extra.def004  = def-004 <= added for test
> general.useragent.extra.efg005  = efg-005 <= added for test
> general.useragent.extra.firefox = Minefield/3.1a2pre           <= default
> general.useragent.extra.microsoftdotnet = (.NET CLR 3.5.30729) <= .NET adds
I don't understand this bug report.  Why is it a problem that "Firefox/3.x" (or "Minefield/3.x") doesn't come immediately after the Gecko version?
(a) Spec of general.useragent.extra.xxx is very simple:
    Insert it to user agent string in alphetic order of entry name.
    We can see extra part in user agent string very easily by about:config.
(b) Some sites still do browser sniffing based on product name/version in user aget string at specific position.
(c) As seen in general.useragent.extra.microsoftdotnet, some venders already insert his own general.useragent.extra.xxx.
(d) I don't think vender such as Microsoft is careful on alphabetic order of entry name.
(f) (f-1) If annoyng warning is shown by (b), or if some functions of some sites is rejected by (b), user is confused, and user asks question at support forum. Further, (f-2) user sometimes opens bug at B.M.O and it was true in the past.  

'Keeping position of "Firefox/3.6.3" as often as possible' is a workaround of problem (f-2) due to (b) & (d).
Using of general.useragent.extra._browsername="Firefox/3.6.3" is a simplest and easiest workaround.
I think addtion of very loose rule of of "preceeding _ is for product or for pre-defined purpose" won't produce big problem.
Pre-definition of general.useragent.extra.firefox_extra="" may be a protection from careless use of general.useragent.extra._xxx by some venders.

This bug is a small request of next to developer from a helper of QA team: 
  Please reduce unwanted/needless/useless bug open by users at B.M.O,
  with very small enhancement or change.
I never want to do QA work for BUG like "map is not shown at a site" which is produced by (b) and (d).
I don't want to experience interfere of QA work like next again;
  bug 455627(duped to bug 328778) occured during analysis of bug 448102
  (see comments after bug 448102 comment #87, please)
  due to extra user agent string added by some venders and bug 328778.
So, WONTFIX is a reasonable closing code.
Severity: normal → enhancement
I thought users testing nightlies adding general.useragent.extra.notfox was reserved for a specific purpose but I guess not after adding more extra.[whatever] as shown here.
In reply to comment #3:
In addition to whatever added that microsoftdotnet extra, many extensions, for instance Lightning and Mnenhy (both for SeaMonkey or Thunderbird), add their own "version strings" to the user-agent string. Here is an example:

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.3a6pre) Gecko/20100622 Lightning/1.1a1pre SeaMonkey/2.1a2pre

I wouldn't call this "hijacking" anyway. Relying on the UA string, and especially on what appears at a certain position in that string, is at best a very sketchy way of ascertaining which capabilities are present.

Sites misusing the UA string (e.g. by locking SeaMonkey out because its UA string does not include "Firefox/") should be evangelized, see http://www.mozilla.org/projects/tech-evangelism/site/procedures.html , and possibly (depending on the kind of misuse) shown http://geckoisgecko.org/
(In reply to comment #4)
> I wouldn't call this "hijacking" anyway. 
> (snip)
> is at best a very sketchy way of ascertaining which capabilities are present.

Oh, UA String == List of capabilities!
I agree with you on not-hijacking, unless done by MS :-)

Yahoo! Japan is a site who warns about browser if SeaMonkey is used.
> general.useragent.extra.seamonkey = SeaMonkey/2.0.2
However, when I added next(added after "SeaMonkey"), the warning was not shown.
> general.useragent.extra.seamonkeyX = Firefox/3.6.3
Yahoo! Japan looks to have already interpreted it like "Capability List" instead of positional product/version.
Working around of browser sniffing issue is far easier than before by simple general.useragent.extra.

We can confidently say "Sites's bug" to user, if BUG due to bad browser sniffing relevant to general.useragent.extra will be opened by general user.

Tony Mechelynck, INVALID? Or WONTFIX?
FYI 1.
bug 572665 is a kind of complaint from user on UA string mainly due to (bad) browser sniffing by some sites, although bug opener doesn't refer to specific sites.

FYI 2.
In that bug, good web page was pointed.
> http://geckoisgecko.info/
>   How to feature-sniff instead of browser-sniff
In reply to comment #5: In that case, Yahoo Japan qualifies for a bug report in the "Tech Evangelism" Product, and, I suppose, the "Japanese" Component. WADA, if you care about the case, you can report that bug, after checking that someone else didn't report it first, and after reading the "Tech Evangelism Procedures" document I linked to in comment #4.

In reply to comment #6: IMHO bug 572665 is INVALID: the fact that Firefox releases have "Firefox" in the UA and that Firefox nightlies, SeaMonkey and others don't have it (unless added back by hacking the UA string through about:config) is intentional. As for http://geckoisgecko.info/ it is an alias to http://geckoisgecko.org/ which I mentioned in comment #4.
(In reply to comment #7)

Tony, INVALID? Or WONTFIX?
(I think INVALID is appropriate, because no fault of Mozilla is involved in my request of this *BUG at B.M.O*, and this bug was caused by my lack of knowledge about "UA String == List of Capabilities".)

> WADA, if you care about the case, you can report that bug,
> after checking that someone else didn't report it first,
> and after reading the "Tech Evangelism Procedures" document I linked to in comment #4.

Sorry but I don't care about the case.
I believe that "*BAD*" browser sniffing is merly a result of lack of sufficient knowledge about current Web, of (stupid) Web Site developers, who say they are programmer even though they know about MS Win only and they merely have experience of coding of VB Script or MS Excel's Script.
My purpose of this bug was;
  To relief QA peoples from needles work for BUGs at B.M.O which are opened
  by unfortunate victims due to such stupid Web site developers.
I believe that user is free to report "Evangelism bug" if he thinks Site is rong. We QA peoples can merely say "Site is wrong" to such victims. I belive that there is no reason that QA peoples have to open "Evangelism bug" when they meet a report at B.M.O. about such issue by unfortunate victim.
Closing as INVAID.
Thanks for your explanations about UA String and general.useragent.extra.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.