Last Comment Bug 799899 - Add Device-Stock-UA header
: Add Device-Stock-UA header
Product: Firefox for Android
Classification: Client Software
Component: General (show other bugs)
: Trunk
: ARM Android
-- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Sebastian Kaspari (:sebastian)
Depends on:
Blocks: http-fingerprint
  Show dependency treegraph
Reported: 2012-10-10 04:37 PDT by Paddy O'Reilly
Modified: 2016-07-29 14:29 PDT (History)
15 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Paddy O'Reilly 2012-10-10 04:37:26 PDT
User Agent: Opera/9.80 (X11; Linux x86_64; Edition Next) Presto/2.12.388 Version/12.10

Steps to reproduce:

Visit using Firefox for Android

Actual results:

The logo image has been resized to the lowest usable value as no device specific information has been provided. (Compare with visiting site using default Android or Opera Mobile 12.1)

Expected results:

The 3rd party mobile user agent should include the additional HTTP header "Device-Stock-UA", as per the RFC below, to aid developers in the server-side adaption of content for consumption on mobile and deliver a better user experience to users.
Comment 1 User image Aaron Train [:aaronmt] 2012-10-10 07:31:24 PDT
Blog post:
Comment 2 User image Kyle Huey [:khuey] (Exited; not receiving bugmail, email if necessary) 2012-10-10 07:32:56 PDT
I don't know anything about the merits here, but "someone invented a header and wrote a draft RFC for it" is not enough reason to implement it.
Comment 3 User image Matt Brubeck (:mbrubeck) 2012-10-10 08:47:26 PDT
The stock UA generally contains information that we have deliberately kept out of our HTTP headers for reasons including privacy/fingerprinting, and discouraging fragile browser-sniffing practices that harm competition by locking out newer or less common browsers.  Implementing the Device-Stock-UA header would eliminate most of the benefits of those decisions.
Comment 4 User image Martin von Gagern 2012-10-10 09:00:41 PDT
I believe that the lock-out argument might be weak in this case. In fact, reading the blog from comment #1 sounds like this might actually help fight lock-out.

The concerns about privacy and fingerprinting remain still strong, though. the RFC even states:

 "This header field may reveal more information about the hardware or
  firmware of the device that can be used for tracking purposes."

It is also interesting to note that the first paragraph in the section about possible uses refers to "web analytics". Adjusting content only comes after that.
Comment 5 User image Kevin Brosnan [:kbrosnan] 2012-10-10 09:28:06 PDT
This is similar to bug 625238. The decision there was that this hurts web compatibility.
Comment 6 User image Paul [pwd] 2012-10-10 09:31:58 PDT
(In reply to Matt Brubeck (:mbrubeck) from comment #3)
> The stock UA generally contains information that we have deliberately kept
> out of our HTTP headers for reasons including privacy/fingerprinting, and
> discouraging fragile browser-sniffing practices that harm competition by
> locking out newer or less common browsers.  Implementing the Device-Stock-UA
> header would eliminate most of the benefits of those decisions.

I think this about sums up my thoughts on the matter.
Comment 7 User image Paddy O'Reilly 2012-10-10 09:46:40 PDT
I would disagree that including the device header would lead to a lockout for newer/less known browsers.
In fact, I would argue that it would increase acceptance and compatibility as at present, for me as a developer that uses server-side content adaptation, when a 3rd party browser, such as Firefox Mobile or Opera Mobile are encountered, the minimum device capabilities must be assumed to guarantee the best user experience. By including device specific information in the header, it enables developers to deliver a richer experience to users of Firefox for Android.
As a user, the alternative has been to download Addons such as Phoney and change the browsers useragent, thus hiding the user-agents identity from the site owner.
Comment 8 User image Matt Brubeck (:mbrubeck) 2012-10-10 09:58:52 PDT
Consider the case of Firefox OS (aka Boot2Gecko), where Firefox *is* the stock browser.  It has all the same capabilities of Firefox for Android.  It would generally be incorrect for web sites to treat Firefox on B2G differently from Firefox on Android simply because of this proposed header.  Firefox users will usually have the best experience if web sites treat Firefox the same on all platforms, rather than assuming it has certain capabilities based on the "stock browser" (which exists on only a few platforms).

(We do have several ways to detect basic differences in form factor and other capabilities in a platform-independent way, such as CSS media queries, feature-testing, and the "Mobile" and "Tablet" tokens in the User-Agent header.)
Comment 9 User image Gervase Markham [:gerv] 2012-10-10 13:19:23 PDT
I think this proposal is wrong-headed in several ways, only some of which have so far been touched on :-) It's 9.20pm here, but hopefully tomorrow I will find time to list some of the others.

Comment 10 User image Gervase Markham [:gerv] 2012-10-11 07:28:30 PDT
OK. Everything people said above. Capability detection via putting a phone's model name into a big database is fundamentally broken, and will always disadvantage new players in the market. It's opposed to Mozilla's aim of user choice. We should be encouraging proper feature detection at runtime rather than proxy guesswork.

Add to that the fingerprinting and privacy issues, the fact that it would lead to us having to send very different user-agent-identifying strings for browsers which should be treated identically (Firefox on B2G and Firefox on Android), and the increase in request size for every request, and this is pretty clearly a WONTFIX. This is not the direction Mozilla wants the web to go in.

Comment 11 User image Paddy O'Reilly 2012-10-11 10:12:48 PDT

Thanks for you response, however I'm disappointed that this bug has been set to WONTFIX so quickly.

Surely a developers choice of technology is being restricted by forcing them to use client-side detection, even if it results in poor performance for the end user. There also seems to be an assumption that the DOM is always available to query, for image transcoding the UA is the only clue at the the requesting device's properties i.e. screensize, resolution.

As for Boot2Gecko, I would be very surprised if vendors shipped handsets that lacked any device identifiers or X-WAP-PROFILE header. This will leave users who choose to download Firefox as a 3rd party browser on another platform at a disadvantage, as anyone using client-side detection would assume the lower common device properties.

Comment 12 User image Tom Lowenthal 2012-10-11 13:32:57 PDT
Privacy/fingerprinting concerns ++

Implementing this change would also require privacy review.
Comment 13 User image Gervase Markham [:gerv] 2012-10-12 06:15:27 PDT
Paddy: the bug has not been WONTFIXed quickly due to lack of consideration; the issues which this header raises have been debated many times in the Mozilla community, and again only quite recently. So we are fairly clear where we stand. 

If client-side detection results in poor performance, then clearly that's something which needs addressing. Our DOM and WebAPI teams would be very interested to hear about the use cases you have where the current detection methods are non-existent or don't meet your needs. 

Your image transcoding point presumably only applies to the first page load, of course.

Comment 14 User image Curtis Koenig [:curtisk-use]] 2012-10-16 09:50:37 PDT
-privacy-review-needed as this is wontfix

Note You need to log in before you can comment on or make changes to this bug.