The browser blockers: Is browser sniffing outdated?
Restricting access to approved browsers is not a good long-term strategy, experts say
Computerworld - It's vexing enough when certain Web sites render incorrectly in your chosen browser (see "When good browsers go bad -- and they all do"). But what about when you can't get into a site at all? Many financial institutions and some other Web sites restrict access to only approved browsers. As many new users of Chrome found out earlier this year, if you have the wrong browser -- or the wrong browser version -- you're locked out.
"We've been reaching out to Webmasters, and they've been fixing those," says Brian Rakowski, Google's director of product management for Chrome.
Bruce Lawson, Web evangelist at Opera, says, "It's a core issue in that it has to do with Web developers coding for a browser" -- in other words, making use of a given browser's proprietary features rather than using standards, which he calls "not a very sustainable development strategy."
Lawson explains: "Some banks do browser-sniffing where they attempt to discover which browser you're using, and if it's not IE they bounce you away. This is folly, since it's easy to set your browser to pretend to be IE, in which case it'll let you in and, more often than not, everything works fine -- so there was no point in rejecting non-IE browsers in the first place. It's also folly, since you might lose customers; most mobile phone users are using Opera or Safari on an iPhone rather than IE, for example, and that's a hugely growing market."
Fortunately, this happens less and less, Lawson says.
For those sites that do still practice this, many of them check what's called the "user agent string" in the browser against a whitelist of approved browsers -- or a blacklist of rejected ones. But that string can be easily modified by the user, or by browser add-ons the user has installed. Even strings in new browsers have contained keywords that have confused browser detection schemes, says Mike Beltzner, director of Firefox development at Mozilla.
Instead of browser-detection, he prefers feature-detection, a technique that developers can use to set up a Web site to determine whether a browser supports key features, such as SSL, that the site requires. When developers use this method, users don't have to wait for them to test new versions of browsers; if developers don't use feature-detection, it can be a pain in the neck for a user who has already upgraded his browser, because his bank's Web site is likely to lock him out of his account.
That browser-detection is still so prevalent clearly irritates Jeffery Zeldman, co-founder of the Web Standards Project. "When my bank's site will work in any browser but the developer put in scripts that tell me my browser won't work, it's so idiotic, so wrong-headed, so unprofessional... so very, very 1999 that it makes me tear my hair," he says.
But developers are accustomed to doing things that way, says Mozilla's Beltzner. "To do feature-detection, you have to detect whether an object exists in the DOM." He doubts that many of those Web developers will change their methods. "As much as I'm an advocate of feature-detection I don't see brute force user agent detection going away," he says.
Jason Titus, head of engineering at Yahoo Mail, defends the use of browser detection in Yahoo's new e-mail user interface, which uses both whitelists and blacklists. As he sees it, browsers can be buggy, they don't fully implement the standards, they often interpret standards differently and some are crash-prone.
"Very complicated pages like Yahoo Mail require a high level of performance and stability that simpler pages do not," he says. Yahoo Mail uses whitelists and blacklists "to protect our very large user base from potentially harmful bugs or issues." Yahoo Mail supports the browsers that the internal development teams use most often, including IE, Firefox and Safari. Other browsers -- and new versions of white-listed browsers -- are not added until they pass Yahoo's quality assurance certification. And that, Titus acknowledges, is a time-consuming process that can take weeks.
But Yahoo Mail's detection scheme isn't perfect. It blocked this reporter's Firefox 3 browser -- which was supposed to be white-listed -- from accessing Yahoo Mail, and it let in Opera, which isn't on the approved list. Meyer says browser-sniffing techniques are simply too fragile. "Who cares what the browser is called? I could rename the user agent string to 'my cool browser.'"
Read more about Networking in Computerworld's Networking Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- The Critical Role of Support in Your Enterprise Mobility Management Strategy Most business leaders underestimate the importance of tech support when they choose an EMM solution. Here's what to put on your checklist.
- Separating Work and Personal at the Platform Level: How BlackBerry Balance Works BlackBerry® Balance™ separates work from personal on the same mobile device, right at a platform level. Find out how it can work for...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the...
- Containerization Options: How to Choose the Best DLP Solution for Your Organization This webcast outlines a framework for making the right choice when it comes to containerization approaches, along with the pros and cons of... All Networking White Papers | Webcasts