from the all-your-user-agent-are-belong-to-us dept.
Chrome Phasing out Support for User Agent
Google announced its decision to drop support for the User-Agent string in its Chrome browser. Instead, Chrome will offer a new API called Client Hints that will give the user greater control over which information is shared with websites.
[...] When Netscape came out,[...] it adopted the User-Agent string and added additional details such as the operating system, language, etc. These details helped websites to deliver the right content for the user, though in reality, the primary use case for the User-Agent string became browser sniffing.
[...] Browser sniffing continued to play a significant part in determining the browser capabilities for many years, which led to an unfortunate side effect where smaller browser vendors had to mimic popular User-Agents to display the correct website - as many companies only supported the major User-Agent types.
With JavaScript popularity rising, most developers have started using libraries such as Modernizer, which detects the specific capabilities of the browser, as this provides much more accurate results.
As a result, the most significant usage for the User-Agent remained within the advertising industry, where companies used it to 'fingerprint' users, a practice that many privacy advocates found to be problematic - mainly as most users had limited options to disable/mask those details.
If advertisers (other than Google) are unable to fingerprint our browsers we might be condemned to having fewer ads on our web pages to watch.
[A more in-depth article is available on ZDNet; the entire Client Hints proposal is available on GitHub. This is subject to modification — but it has been under development since at least January of 2019 — so don't wait for it to get formally adopted if you have any issues with it; get your feedback in soon.-Ed.]
(Score: 3, Insightful) by DannyB on Wednesday March 25 2020, @06:19PM (2 children)
But March is national procrastination week.
From TFA . . . [github.io]
Well that's encouraging. Who is Google that they would expect all the many web browser to implement something witch is not a W3C standard?
The lower I set my standards the more accomplishments I have.
(Score: 1, Touché) by Anonymous Coward on Thursday March 26 2020, @07:07AM (1 child)
Which browsers? Chrome, Chrome or Chrome?
(Score: 2) by DannyB on Thursday March 26 2020, @02:16PM
Chrome. Chromium. Edge. Safari? Others?
The lower I set my standards the more accomplishments I have.
(Score: 5, Insightful) by DannyB on Wednesday March 25 2020, @06:24PM (1 child)
Why is the new UA Client Hints API [github.io] even needed? And why is User Agent needed?
Bravo for getting rid of User-Agent. But why replace it with something more structured?
In the age of browser standardization where all browsers can render all modern standards, it seems a server no longer needs to customize content to particular browsers. IE is dead, at long last. (although some people still use it, and some banks think it's great stuff)
As long as the vast array of different browser implementations that we have to choose from all implement modern standards, who needs a user agent? And who needs a replacement for it?
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Thursday March 26 2020, @04:09AM
Google needs the replacement for it. Ad companies are going to ad, and ads that can track your targets better are worth more.
(Score: 2, Interesting) by Anonymous Coward on Wednesday March 25 2020, @06:28PM (5 children)
Anyone have a good Bobby Tables style user agent string? I don't think most ad networks run the highest quality code...
(Score: 0) by Anonymous Coward on Wednesday March 25 2020, @07:22PM
Use a blank string and watch the fireworks.
(Score: 2, Interesting) by Anonymous Coward on Wednesday March 25 2020, @08:11PM (3 children)
Googlebot
Gets around many paywalls.
A zillion years ago, I used to use "web browser", but as time went on, most major sites became broken due to retarded user agent sniffing. Most did not degrade gracefully, just some stupid, "We haven't a clue what we are doing, so please use browser X at version Y."
(Score: 2) by Pino P on Thursday March 26 2020, @12:46AM (2 children)
Shhh! Don't spill the beans, or sites will start using reverse DNS on each IP address that presents a Googlebot UA [google.com].
(Score: 3, Interesting) by toddestan on Thursday March 26 2020, @03:35AM (1 child)
Really, this shouldn't work for other reasons. I think Google should send sites that let Googlebot through but present a paywall to everyone else straight to the bottom of their search results.
(Score: 4, Informative) by Pino P on Thursday March 26 2020, @03:54AM
This was the case until October 2017, when Google rolled out Flexible Sampling [google.com] to replace its former First Click Free policy. Googlebot even provides a way for publishers to post structured data to mark the difference [google.com] between a paywall and cloaking.
(Score: 5, Insightful) by bradley13 on Wednesday March 25 2020, @06:37PM (4 children)
Note that, according to the HTTP specification, the User-Agent string is optional. However...
There are a lot of web developers out there who are apparently incapable of correctly implementing a specification. If you fail to send a User-Agent string, many websites break. They apparently have some sort of if statement logic: if browser-x send X else if browser-y. Only they forgot the final "else" where they ought to send content even if the don't know the browser type.
Anyway, relying on User-Agent just indicates that a website is relying on non-standard browser behaviors. Another sign of quality web development. If you site doesn't work on *any* modern browser, your site is broken. Period.
I would like to believe that this change to Chrome will force web developers to clean up this mess. Unfortunately, it won't. According to TFA, Chrome will still send User-Agent and offer "Client Hints". In total, this will almost certainly provide even more information to track users.
Everyone is somebody else's weirdo.
(Score: 1, Interesting) by Anonymous Coward on Wednesday March 25 2020, @06:59PM (2 children)
My frankenbrowser sends null as a user agent. I get a bunch of null pointer errors from websites.
(Score: 0) by Anonymous Coward on Wednesday March 25 2020, @07:55PM (1 child)
My browser occasionally identifies itself as a copy of mozilla running on a DEC system running TOPS-20..sorry, I meant mozzarella running on a DEC..
(Score: 0) by Anonymous Coward on Thursday March 26 2020, @04:46AM
A transexual browser, eh?
(Score: 0) by Anonymous Coward on Wednesday March 25 2020, @07:43PM
"this will almost certainly provide even more information to track users."
looking through the document this is exactly what it does. So I guess the default will be all on in a browser like chrome and only power users will go and switch it off. Something like tor-browser will default all off.
(Score: 4, Interesting) by SomeGuy on Wednesday March 25 2020, @06:39PM (4 children)
User agents have been a pain for a long time. But they are part of HTTP.
There are actually STILL some web sites out there that block my web browser because my "OS" part of the string just happens to contain "Windows 95". Change it and it lets me in just fine. I tried contacting one of these sites and just got back the usual shit along the line of "derr we block that because viruses, u shud upgrade because teh security deeerr drool, drool, drool." The irony is several of these sites are vintage computing related.
On the other hand, sometimes changing IU strings could force some sites to give me an actual USABLE interface that was not full of retarded bullshit.
So, the real question is what happens to any web browsers that don't do the same thing as Gurgle Crumb? Will they be blocked from internet access altogether?
(Score: 2) by DannyB on Wednesday March 25 2020, @06:46PM (2 children)
What would happen, I wonder, if a user agent indicated one of the text mode browsers? [wikipedia.org]
Maybe a web site would know that you are too unfortunate to have JavaScript, blinking seizure inducing animated GIFs, local storage, and other such wonderful features; and the site would taylor the content accordingly. Suppose you could falsely indicate that browser as your user agent in order to avoid the web site sending you JavaScript and animated GIFs, etc.?
The lower I set my standards the more accomplishments I have.
(Score: 2) by takyon on Wednesday March 25 2020, @06:56PM (1 child)
https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Feature_detection [mozilla.org]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Interesting) by Pino P on Thursday March 26 2020, @01:04AM
The MDN article "Implementing feature detection" describes ways to test for features using script once script is already running on a page. It doesn't describe ways to determine whether ECMAScript 6 syntax can be used in inline script in the first place. It mentions the @supports selector but doesn't really explain how to determine the presence of CSS features for users of IE or older Safari, which lack @supports, when script is turned off. And there are still a bunch of things Modernizr can't detect [github.com] even if the user has chosen to enable script on your domain.
(Score: 0) by Anonymous Coward on Wednesday March 25 2020, @09:04PM
FTFY
(Score: 0) by Anonymous Coward on Wednesday March 25 2020, @06:56PM
not bug but a feature?
the public facing webserver presents "this is a test site! it works!" with any "wrong" user-agent string; the correct one, delivered via some side-channel, will let you in?
or even, on the fly, user-agent string switching according to some algo?
tbh methinks this is just a thinly veiled "certificate" to confirm to web-site operators (like banks and clubbermints) that "hey, look our browser confirms itself (you can run some test from your site too) and is totally up to all stundards and securitis that we keep making more and more complicated for nothing and with lots of advertisement monies (thanks for that btw), so that we end up being the only thru and honest browser on the planet".
(Score: 4, Informative) by shortscreen on Wednesday March 25 2020, @07:49PM
So now I won't have to waste time trying to figure out what magic user agent to spoof to get a site to load because web developers had their collective head up their collective ass. Instead I'll get a blank page because my browser only supports Client Hints (TM) version 1.24857WTF and they require at least version 1.3666FOAD.
(Score: 4, Insightful) by Bot on Wednesday March 25 2020, @09:26PM (1 child)
Chrome pushing its marketshare weight to force new standards.
Bring back the "this site works best with..." animated fake 3d gifs.
Account abandoned.
(Score: 2, Interesting) by Anonymous Coward on Wednesday March 25 2020, @09:50PM
Gifs? So retro. Try pure CSS: https://www.the-art-of-web.com/css/3d-transforms/ [the-art-of-web.com]
(Score: 4, Informative) by bryan on Wednesday March 25 2020, @09:45PM (1 child)
Google fails user agent checks on its own Gmail service. Unless your user agent matches one of a few "major" browsers, you are unable to login to the site.
As a developer of a small CEF [wikipedia.org] based browser, I've been bitten by this misfeature in Gmail and other badly coded websites. In my case, a "fake" user agent string that matches a popular browser allows the site to function normaly.
(Score: 1, Informative) by Anonymous Coward on Thursday March 26 2020, @02:01AM
So does Netflix. Tried to watch a movie recently with a year-old version of Firefox and Netflix told me to update my browser. Changed the user agent instead and the movie played fine.
(Score: 0) by Anonymous Coward on Thursday March 26 2020, @12:01AM
Generally the session goes:
HTTP Request, HTTP Response.
This models goes HTTP Request, HTTP Response, HTTP Request, HTTP Response for ONE page.
That is a fairly significant amount of additional latency.
Really what this does is create an initial basis for a negotiation protocol. Which is to say that Google may be looking to do what Brave is doing, it is just hiding it in a: "We're Google and we're here to help, don't mind the shovel and the bag of lye." kind of way. That isn't to say it is a bad thing.
Here is the million dollar question: If sessions have multipart negotiation by default, doesn't that make the web provider a telecom provider? You are negotiating the sale of a transmission, which is pretty much the same as long distance tarriffing from an architecture standpoint. The initial headers don't constitute content. PPP does this with LCP options, and since we aren't talking about content, but rather the right to transmit content, you might as well do PPP over TCP all the way to the web server and do the session negotiation in LCP. Right? It isn't content, so you could do that. If your negotiating transmission rates, it doesn't matter what protocol you do it with.
This is the part where somebody stands up and says: doesn't "Orchid Protocol" do this? Yes. But if it is anything like telegram, it's first versions will be primarily used to backhaul traffic from root kits, and run of the mill consumer malware, like say.... Windows.
Lots going on. Fun to see how it evolves.
(Score: 1, Touché) by Anonymous Coward on Thursday March 26 2020, @05:03AM (1 child)
On the contrary, you'll have more, to compensate for the lack of target.
But don't believe them, you'll have more anyways.
(Score: 2) by MostCynical on Thursday March 26 2020, @06:32AM
Fishing gear, computers, hair tonic, funeral homes AND baby supplies?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex