[Javascript] Serious browser detection.

David Lovering dlovering at gazos.com
Tue Mar 16 08:07:55 CST 2004 

Another issue to consider is that many of the reserved tokens can be
"spoofed" in Javascript (or so the CERT/CIAC security folks maintain).  If
my understanding is correct, these are defined shortly after the client
connection to the session is initiated, and can (allegedly) be manipulated
subsequently.  Presumably later revs will preclude this, making it
impossible to alter reserved tokens unless done in a signed script -- and
even then with restrictions.  I've already verified that some reserved
tokens are protected this way, but the security notices would imply that not
all of them are.  I've not experimented with the browser detection
parameters, and couldn't say one way or the other whether they are
vulnerable.

Anybody have any personal experience with this?  I'd like a second (or
third) opinion.

-- Dave Lovering

----- Original Message ----- 
From: "Håkan Magnusson" <hakan at backbase.com>
To: "[JavaScript List]" <javascript at LaTech.edu>
Sent: Tuesday, March 16, 2004 2:13 AM
Subject: Re: [Javascript] Serious browser detection.


> Thanks Andrew, but it has to be client side, the company I work for are
> developing a web application framework written in JavaScript. This
> framework have no requirements on web server software, and we can't add
> it because of the browser detection. ;)
>
> > In any case, you might find some useful (and more relevant) information
in Apple's Safari developer FAQ:
>
> Thanks again, but to quote someone wittier than me, it seems that Apples
> idea of a "reference" is a a couple of pages where they brag about what
> their software almost could do if they didn't release the beta version.
>
> <warning:semi-political-views>
> It is so obvious that Apple really want people to think that Safari is
> just as cool (and standards compliant) as Mozilla/Camino (just have a
> look at the userAgent string, "KHTML, like Gecko", geez) when the actual
> support for *anything* is close to none. Why, oh why, Apple, didn't you
> use a working, accepted, standards compliant, non-beta browser engine
> instead of this crap we have to deal with now?
> </warning:semi-political-views>
>
> Again, thanks anyway. This is not a critical problem (until people start
> spoofing Safaris useragent string...) and I was merely reaching in the
> dark for a more comprehensive object reference than I have now.
>
> Regards,
> Hakan
>
>
> Andrew Crawford wrote:
> > Greetings,
> >
> > I'm curious: is there some particular or common reason to use JavaScript
> > rather than server-side browser detection?
> >
> > This Open Source solution can do what you describe doing with JavaScript
> > and can handle Safari version detection.  They seem to keep it fairly
> > up-to-date and it all runs on the server as a PHP script:
> >
> >    http://phpsniff.sourceforge.net
> >
> > In any case, you might find some useful (and more relevant) information
> > in Apple's Safari developer FAQ:
> >
> >    http://developer.apple.com/internet/safari/safari_faq.html
> >
> > Andrew Crawford
> > Javascript at Evermore.com
> >
> > At 05:29 PM 3/15/2004 +0100, you wrote:
> >
> >> People,
> >>
> >> I have my browser detection script, completely object based except for
> >> a few small issues. These include detecting what VERSION of MacOS the
> >> user is running, if using a Mac, and proper detection of Safari
> >> (currently detecting by looking at userAgent) and furthermore which
> >> Safari version is in use.
> >>
> >> Basically, I am wondering if anybody know of a good way to detect
> >> MacOS version (through any object/property, on all (major) browsers)
> >> and Safari/Safari versions (through object based detection instead of
> >> looking at userAgent).
> >>
> >> Ideas?
> >>
> >> Regards,
> >> Hakan
> >> _______________________________________________
> >> Javascript mailing list
> >> Javascript at LaTech.edu
> >> https://lists.LaTech.edu/mailman/listinfo/javascript
> >
> >
> > _______________________________________________
> > Javascript mailing list
> > Javascript at LaTech.edu
> > https://lists.LaTech.edu/mailman/listinfo/javascript
> >
> >
> _______________________________________________
> Javascript mailing list
> Javascript at LaTech.edu
> https://lists.LaTech.edu/mailman/listinfo/javascript
>
>

More information about the Javascript mailing list