Skip the navigation

The browser blockers: Is browser sniffing outdated?

Restricting access to approved browsers is not a good long-term strategy, experts say

By Robert L. Mitchell
February 24, 2009 12:00 PM ET

Computerworld - It's vexing enough when certain Web sites render incorrectly in your chosen browser (see "When good browsers go bad -- and they all do"). But what about when you can't get into a site at all? Many financial institutions and some other Web sites restrict access to only approved browsers. As many new users of Chrome found out earlier this year, if you have the wrong browser -- or the wrong browser version -- you're locked out.

"We've been reaching out to Webmasters, and they've been fixing those," says Brian Rakowski, Google's director of product management for Chrome.

Bruce Lawson, Web evangelist at Opera, says, "It's a core issue in that it has to do with Web developers coding for a browser" -- in other words, making use of a given browser's proprietary features rather than using standards, which he calls "not a very sustainable development strategy."

Lawson explains: "Some banks do browser-sniffing where they attempt to discover which browser you're using, and if it's not IE they bounce you away. This is folly, since it's easy to set your browser to pretend to be IE, in which case it'll let you in and, more often than not, everything works fine -- so there was no point in rejecting non-IE browsers in the first place. It's also folly, since you might lose customers; most mobile phone users are using Opera or Safari on an iPhone rather than IE, for example, and that's a hugely growing market."

Fortunately, this happens less and less, Lawson says.

For those sites that do still practice this, many of them check what's called the "user agent string" in the browser against a whitelist of approved browsers -- or a blacklist of rejected ones. But that string can be easily modified by the user, or by browser add-ons the user has installed. Even strings in new browsers have contained keywords that have confused browser detection schemes, says Mike Beltzner, director of Firefox development at Mozilla.

[Limiting browser access is] so idiotic, so wrong-headed, so unprofessional... so very, very 1999 that it makes me tear my hair."
Jeffrey Zeldman, Web Standards Project

Instead of browser-detection, he prefers feature-detection, a technique that developers can use to set up a Web site to determine whether a browser supports key features, such as SSL, that the site requires. When developers use this method, users don't have to wait for them to test new versions of browsers; if developers don't use feature-detection, it can be a pain in the neck for a user who has already upgraded his browser, because his bank's Web site is likely to lock him out of his account.

That browser-detection is still so prevalent clearly irritates Jeffery Zeldman, co-founder of the Web Standards Project. "When my bank's site will work in any browser but the developer put in scripts that tell me my browser won't work, it's so idiotic, so wrong-headed, so unprofessional... so very, very 1999 that it makes me tear my hair," he says.

But developers are accustomed to doing things that way, says Mozilla's Beltzner. "To do feature-detection, you have to detect whether an object exists in the DOM." He doubts that many of those Web developers will change their methods. "As much as I'm an advocate of feature-detection I don't see brute force user agent detection going away," he says.

Jason Titus, head of engineering at Yahoo Mail, defends the use of browser detection in Yahoo's new e-mail user interface, which uses both whitelists and blacklists. As he sees it, browsers can be buggy, they don't fully implement the standards, they often interpret standards differently and some are crash-prone.

"Very complicated pages like Yahoo Mail require a high level of performance and stability that simpler pages do not," he says. Yahoo Mail uses whitelists and blacklists "to protect our very large user base from potentially harmful bugs or issues." Yahoo Mail supports the browsers that the internal development teams use most often, including IE, Firefox and Safari. Other browsers -- and new versions of white-listed browsers -- are not added until they pass Yahoo's quality assurance certification. And that, Titus acknowledges, is a time-consuming process that can take weeks.

But Yahoo Mail's detection scheme isn't perfect. It blocked this reporter's Firefox 3 browser -- which was supposed to be white-listed -- from accessing Yahoo Mail, and it let in Opera, which isn't on the approved list. Meyer says browser-sniffing techniques are simply too fragile. "Who cares what the browser is called? I could rename the user agent string to 'my cool browser.'"

Next: Web standards on the edge

Read more about Networking in Computerworld's Networking Topic Center.



Our Commenting Policies