this post was submitted on 21 Nov 2023
1218 points (95.9% liked)
Firefox
17763 readers
183 users here now
A place to discuss the news and latest developments on the open-source browser Firefox
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
It’s time to get rid of user-agent strings that declare anything other than desktop, mobile, or html version.
If I was a Firefox dev I'd start looking into building in user agent spoofing right into the browser.
It already opens Facebook pages in a special isolated tab. They could have apple.com open in it's own special "safari" tab. I wonder if there's anything preventing them from doing that. I guess it could be bad because it would make their market share appear even smaller.
The irony of Firerfox officially agent spoofing while everyone else uses some variant of "Mozilla" as their UAS is too much.
I think user agent scrambling is part of privacy.resistFingerprinting, but it's a controversial feature and breaks a lot of webpages
Broken webpages might be a good thing. There are too many browsers that aren’t adhering to standards. Stop coding around it and start publicly shaming these megacorps.
https://webaim.org/blog/user-agent-string-history/
kek
That article is great! I have it linked on my website next to the text that displays the user agent of the user.
That's was interesting to read.
The biggest offender is, surprisingly, cloudflare. They will straight up refuse to serve you any site if your user agent is not one of the mainstream ones. It's not even "find the traffic light to prove you're human", but a page basically saying "fuck you, go away".
Well their job is to block weird bot-looking traffic...
what is more likely to be a bot? a unique and trackable useragent for a semi-niche browser engine, or a vanilla Chromium+Windows which half of everyone uses ?
Most semi and fully legitimate bots use a custom user agent.
what about malicious/unwanted bots? if cloudflare is trying to block bots, the bots will want to not look like bots. the easiest way to do that is to use a common user agent.
User agent identifier is not useful to block bots. You can literally set it to whatever you like.
User agents are not unfortunately not the only way to identify a browser, there are other ways to fingerprint a platform.
JavaScript as it is today also need to be thrown in a trash of history. Website should not contain additional code. If someone wants to send me an app hacked on top of website rendering, it should be a popup asking me first if I want to run this.
No, dynamic content should absolutely be able to be delivered through the open Web, not just through walled gardens. Apps are almost universally shit.
No problem with sending some JavaScript module extending browser's capability. But the problem I see is sending whole sites this way, sometimes even rendering HTML on the visitor's browser, yack..
That's a terrible idea. Every single thing other than a block of text requires js.
This is absolutely not true and just a myth. Images, video playback, "show more", forms, tabbing, animations, custom icons, hover effects, popups, background images and videos, light/dark mode, hamburger menus...
It's hard to count things you can do with advanced format that is HTML+CSS. Saying JavaScript is nessesary for anything other than block of text is like saying that in Minecraft command blocks are nessesary for anything other than making voxel art.
For basic things like interacting with your bank or goverment, running any additional code should be unnessesary. And I believe this needs to be a law targeting accessibility and compatibility.
For maps, dynamic updating, OK. But look at the web now, most sites are apps requiring 99% of web standards implemented to work. No wonder it's now impossible to actually make a new browser.
HTML was made to last. If browser do not support some tag it would try and render it anyway. Meanwhile with today's webapps browsers in 2033 will be required to have so much technical debt that for now was exclusive to operating systems.
i don't want them knowing desktop or mobile either. we all have good enough phones now to handle a proper website on mobile -- mobile sites are fucking garbage.
steve jobs during the original iphone keynote did a whole segment on how you could load the full rich widescreen NYT website and zoom in and out and look at that rich text rendering. apps are ass, mobile sites are ass.
especially when they don't even have all of the features of the desktop site
The number of sites that aggressively disable the force pinch to zoom accessibility feature is too damn high
99% of sites only need to know your screen aspect ratio and maybe available input devices, can't think of a good reason to share anything else
Knowing OS is useful for download links.
I’d be down for an ask to allow that info. Sort of like how sites request access to cam and mic.
Before Windows 10, NVidia and others had this button Detect what thing suits me best on their websites. Now many of them just look it up in one's fingerprint without asking.
Oh no, they'd have to list more than one link,the horror!