[opensource-dev] [POLICY] Configurable HTTP user-agent string

[Tigro Spottystripes]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

don't the user agent string already tells servers about some of the
browser's capabilities with the current format?

the current one for my Firefox is:
Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.2.3)
Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) Mnenhy/0.8.2

it says the operating system, the language it uses, the engine, the name
of the browser and version, mentions .NET CLR (whatever that is) and
it's version, and also the name of one of the extensions (it used to
also say somthing about StumbleUpon back when i used it, i had to
disable it cause it was lagging the whole browser for some reason)

With SL viewer's user agent string, you could inform which viewer it
is, whether RLV compatible functionality is present and enabled and all
sorts of other useful information about the viewer and the system it is
running on (thought it would probably be a good idea to also talk about
the web browser itself and follow the standards regarding web browsers
user agent strings).


But, i can easily make Firefox pretend to be another browser, or even
Googlebot, at least when it comes to the user agent string; it would be
good to have a similar functionality in SL browsers, though i'm not sure
it would be necessary that LL's client have it, and IMO TPVs shouldn't
be required to have it either (but i would really appreciate if Emerald
had it), but also there should be no requirement that the web browsers
in TPVs be honest in their user agent strings.

On 7/5/2010 00:06, Ricky wrote:
> One thing more to consider is that the content (but not the format) of
> this string is up to the viewer developer.  If the viewer developer is
> security conscious, or has a security conscious user base, the
> developer can choose to use the one selected by one of the Linden
> Lab's main viewer versions.  Especially since the 1.x series is the
> current "base" of most viewers, this makes sense.  The only flaw here
> is that you will get the same thing going on with browsers today: they
> almost all say "Mozilla/4.0" even if they are, say, IE8...
> 
> Over-all, I think the security implications are important to consider,
> but that simple tweaks seem to be able to cover the concerns.  I'd
> rather get "Hi, I'm SecondLife/1.23.5 (compatible)" then "Hi, I'm
> <blank>" from all security-conscious TPVs.  Especially since LL's
> viewers will most likely not move over to the default-blank model, as
> they already are sending a string, and to change would require
> overcoming some entropy.. :P
> 
> Also, since this information is /already/ accessible (through means
> that are irritatingly complex), we need to get the client-side tweak
> of allowing the user to "opt-out" by setting a custom string in place.
>  Since we are already "opted-in" by existing code, we have to choose
> the opt-out model.  Making the info easier to access in LSL is a
> tangential issue, but not unimportant.
> 
> Ricky
> Cron Stardust
> 
> On Thu, May 6, 2010 at 3:00 PM, Argent Stonecutter
> <secret.argent at gmail.com> wrote:
>> The only difference between "default none" and "default something
>> generic" is that you're sending more bytes to provide the same
>> negative information.
>>
>> On 2010-05-06, at 13:47, Tigro Spottystripes wrote:
>>
> have the default be somthing generic then
> 
> On 6/5/2010 15:24, Argent Stonecutter wrote:
>>>>> On 2010-05-06, at 11:51, Tigro Spottystripes wrote:
>>>>>> Then you just set your user-agent string to something generic
>>>>>
>>>>> Yes, I'm a paranoid nut who knows to do that. I know to opt out. Most
>>>>> people don't.
>>>>>
>>>>> Which is why any capability like this needs to be opt-in.
>>>>>
>>>>> _______________________________________________
>>>>> Policies and (un)subscribe information available here:
>>>>> http://wiki.secondlife.com/wiki/OpenSource-Dev
>>>>> Please read the policies before posting to keep unmoderated posting
>>>>> privileges
>>>>>
_______________________________________________
Policies and (un)subscribe information available here:
http://wiki.secondlife.com/wiki/OpenSource-Dev
Please read the policies before posting to keep unmoderated posting
privileges
>>
>> "Welcome back, Anonymous, we're glad to see you again!"
>>
>>
>> _______________________________________________
>> Policies and (un)subscribe information available here:
>> http://wiki.secondlife.com/wiki/OpenSource-Dev
>> Please read the policies before posting to keep unmoderated posting privileges
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEAREKAAYFAkvjnjIACgkQ8ZFfSrFHsmUvIgCePRLh4mToQgsaXvcTMqL7G3EC
9nkAn3VHO7t6EOCoSs6RS+OD4PLWbKBp
=fkte
-----END PGP SIGNATURE-----