[webkit-dev] New iOS versions sending bogus User-Agent build data

Thu Apr 26 10:09:30 PDT 2018

On 26 April 2018 at 12:23, Konstantin Tokarev <annulen at yandex.ru> wrote:
> 26.04.2018, 19:16, "Michael Catanzaro" <mcatanzaro at igalia.com>:
>> On Thu, Apr 26, 2018 at 11:13 AM, Michael Catanzaro <mcatanzaro at igalia.com> wrote:
>>>  By fixing the WebKit bug, of course. And in the meantime you can work
>>>  around it on the server side by not using <img src=mp4>, right?

Today, we can work around it by ignoring the Accept field. However,
tomorrow once the bug is fixed we will be in the paradox of not
knowing which versions of Safari are telling the truth.

>> Consider the other perspective on this problem. If other servers look
>> at the WebKit version in the UA to determine if WebKit supports img
>> src=mp4, other WebKit ports that don't support this are going to be out
>> of luck and get broken pages. I know that's not what you're doing --
>> you're looking at iOS version instead, and only doing it to work around
>> a specific bug, which is much better -- but the problem of websites
>> sending bad content based on bad user agent parsing is so severe that
>> we don't have many good options, here. :/
>
> Not to mention those evil people who reject page loading for user agents
> they don't (want to) support

How does locking the UA solve the misbehaving parsers in the wild?
They will still misbehave and break the user experience. However,
those of us that are trying to optimize the user experience by working
around bugs for specific versions are now handicapped and punished.

The reality is that bugs exist. There is a give and take here where
the content negotiation is sometimes smarter on the client, and
sometimes smarter on the server. In the case of media, the server is
usually smarter and must be because of the long tail of adoption.

Ideally everyone on the planet will adopt to ios V.Latest overnight,
but sadly this will not be the case. Servers must account for the long
tail of users on many different versions. Right now we are forced to
decide to apply a solution that works only for v.latest, or apply a
solution that works for v.lowest-common-denominator. In both scenarios
we compromise the user experience. Ideally we wouldn't have to
sacrifice some users and would be able to account for bugs in the
wild.

As I said before, if this detail is available in javascript, then why
hide it on the wire? Perhaps it's time for a User-Agent2 with precise
feature declarations? Even still a version number is needed because,
well, bugs.

While I understand the fingerprinting concern, I'm not particularly
convinced that UA obfuscation is the best solution for users and the
user experience. Without opening up the religious debate of
fingerprinting with the UA, how can provide enough detail (version
numbers) so that service providers can work toward the greater good of
improving the user experience?

Is there room for compromise?

/colin