Should UA string spoofing be treated as a trademark violation?

[RobG]

I wandering about the common proctice of some UA's producers to spoof
the UA string to pretend to be another browser (most often IE).

Is it common? How many browsers, by default, spoof others?

Shouldn't it be considered as a trademark violation of the relevant
name owner?

On the face of it, yes. However, whether it could be held to be so in a
court is quite another matter.

I am not a lawyer, but as anyone with a business that sells products it
designs and makes itself, I have an interest in knowing about trademark
and copyright law as applicable in my own jurisdiction. In regard to
trademark, the primary question is whether its use will confuse
consumers into thinking a product is from one company when in fact is is
from another. A case in point is Apple Corps and Apple Computer, though
there are aspects of that case related to the logo also.

The second issue is the damages that might arise - loss of sales because
consumers bought the 'wrong' product, leveraging another company's good
will, loss of reputation because the second company's faulty products
reflected on the first, and so on.

In regard to user agent spoofing, I don't think any of the above can be
shown. Consumers don't identify browsers by looking at the UA string,
so it can't be a factor in their decision of which browser to use. If
you can't prove that, end of case.

A more tenuous link could be shown if certain user agent strings were
required to make sites work properly (the original reason for doing it).
It might then be shown that this has some effect on consumer choice, but
the obvious conclusion here is inappropriate discrimination by the site.
The UA has the defence of acting as it did to overcome that
discrimination. To go further and try to link it back to trademark
violation is a very long bow to draw.

Is it some different situation with the current spoofing?

Yes, because the UA string is not a factor in consumer choice of which
browser to use.

 

[Matt Kruse]

Don't all browsers have a bug that other browsers do not have? But
most significant bugs can be tested for without browser detection. If
you think otherwise you are welcome to suggest a concrete example and
see if it can't be feature detected.

I'm curious to know if there is a way to feature-detect the need for an
"iframe shim" behind a DIV.

In IE on windows, as I'm sure you know, select lists and other controls
always render on top of other elements, regardless of z-index values. This
is commonly solved by placing an empty iframe behind the element, which
effectively blocks the control from showing through.

This problem only applies to IE on Windows. While there doesn't seem to be
any problem with adding the iframe for other browsers, it would ideally not
be done if not necessary.

What feature-detection could be used to determine the need for the iframe
shim?
It would be possible to feature-detect other things that are known to exist
only in IE on Windows, but it's generally not a good practice to infer
feature X based on the existence of feature Y.

Thoughts?

 

[VK]

What feature-detection could be used to determine the need for the iframe
shim?

IE-specific "specifics" usually solved by using JScript pre-processor:
....
/*@cc_on @*/
/*@if (@_jscript)
var fixNeeded = true;
@else @*/
var fixNeeded = false;
/*@end @*/

It is possible to imagine that some UA producer will implement exactly
the same pre-processor and instruct it to tell that it is Internet
Explorer running JScript.
It is possible - but this already goes beyond the power of any
developer - and beyond any acceptable behavior.

And "semantically" it is not a "yaky UA sniffing". I do not sniff
anything: I just place a piece of code and let it to be executed by any
UA capable to handle it (ignored otherwise).

With SVG programming I still need more UA sniffing because Opera and
Gecko SVG implementations are too different in some important aspects
to treat them equally. Here the biggest challenge was from Opera: this
browser became really determined to be undetectable out of IE. As soon
as some feature check was found, they cover it by a bogus "cork" in the
next upgrade. I really was running out of ideas until I found
windows.opera object (where they keep their a la GreaseMonkey
functions). The only thing bothers me now in my nightmares that if
some new wannabe bastard desides to pretend to be Opera rather than IE
or Gecko. I tranquilize myself by thinking that it's highly doubtful -
though yet possible.

 

[Matt Kruse]

IE-specific "specifics" usually solved by using JScript pre-processor:

That is not feature-detection.

/*@cc_on @*/
/*@if (@_jscript)
var fixNeeded = true;
@else @*/
var fixNeeded = false;
/*@end @*/

Further, this doesn't check for Windows vs. Mac, since the problem doesn't
occur on Mac.

 

[VK]

That is not feature-detection.


Further, this doesn't check for Windows vs. Mac, since the problem doesn't
occur on Mac.

Oh, you need Mac check too? Here we are:

/*@cc_on @*/
/*@if (!@_mac)
var fixNeeded = true;
@else @*/
var fixNeeded = false;
/*@end @*/

Alternatively:

/*@cc_on @*/
/*@if (@_win32)
var fixNeeded = true;
@else @*/
var fixNeeded = false;
/*@end @*/
(I guess it is secure to disregard a possibility of Windows 3.x ;-)

You need JScript.Net check maybe?

/*@cc_on @*/
/*@if (@_jscript_version >= 7)
var lang = 'JScript.Net';
@elif (@_jscript_version < 7)
var lang = 'JScript';
@else @*/
var lang = 'JavaScript';
/*@end @*/

To not run over and over here are all conditions you can check:

@_win32
True if running on a Win32 system.

@_win16
True if running on a Win16 system.

@_mac
True if running on an Apple Macintosh system.

@_alpha
True if running on a DEC Alpha processor.

@_x86
True if running on an Intel processor.

@_mc680x0
True if running on a Motorola 680x0 processor.

@_PowerPC
True if running on a Motorola PowerPC processor.

@_jscript
Always true.

@_jscript_build
Contains the build number of the JScript scripting engine.

@_jscript_version
Contains the JScript version number in major.minor format.

Enjoy!

 

[Lasse Reichstein Nielsen]

Is it common? How many browsers, by default, spoof others?

Almost all other than Netscape 2-4.

IE6's user-agent string (on my computer) is:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)

The initial Mozilla/4.0 is a spoof of Netscape 4. The remaining data can
be used to discover that it actually isn't Netscape 4 by servers that
know what to look for, while those that don't know will be spoofed.
Most people have forgotten that this is how, and where, spoofing started

FireFox's is:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

It claims to be Mozilla/5.0, which it isn't. It's perhaps acceptable, since
it's in the general family of browsers reporting that name.

I don't remember what Opera's default is any more. It used to be an
IE-spoof. Mine is set to report as Opera, and I only very rarely have
problems with that (I still spoof for MSDN)

(And, also IANAL, I agree on the arguments against it being trademark
violation)

/L

 

[Lasse Reichstein Nielsen]

I really was running out of ideas until I found
windows.opera object (where they keep their a la GreaseMonkey
functions).

The user.js-functions are new, but I believe window.opera has been
in Opera since the earliest Javascript capable Opera browsers.

The only thing bothers me now in my nightmares that if
some new wannabe bastard desides to pretend to be Opera rather than IE
or Gecko. I tranquilize myself by thinking that it's highly doubtful -
though yet possible.

The reason browsers try to look like other browsers is to twart
annoying programmers that refuse to let pages work on them, even
though they implement all the features that are needed. As long as
programmers use browser detection as a white-list of browsers that are
allowed to work on their page, browser makes will try to prevent their
browser from being excluded (usually for no good reason).

If the programmers used feature detection instead, then they won't
need to know what browser it is, only what features are available. A
completely new but feature complete browser would work with old pages
then. Using browser detection as a white-list, it would be
unnecessarily excluded.

/L

 

[VK]

I don't remember what Opera's default is any more. It used to be an
IE-spoof.

The latest Opera 8.54 default is
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; en) Opera 8.54
(with different OS and language of course for different users)

I presume it currently holds the record of spoofing by claiming
three browsers at once. At least they mention the real one now (Opera)
too but AFAIK it is a rather recent improvement.

(And, also IANAL, I agree on the arguments against it being trademark
violation)

It claims to be able to handle the content which it cannot handle: say
it cannot draw VML graphics, initialize ActiveX objects and use
behaviors. I understand that it is always possible to serve some
generic all-in-one script to sniff the real situation client-side and
act accordingly. But since when server-side content preparation became
an illegal technique? It is very often that the requested page doesn't
exists at all - but being prepared out of raw data per call.

 

[cwdjrxyz]

The latest Opera 8.54 default is
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; en) Opera 8.54
(with different OS and language of course for different users)

I presume it currently holds the record of spoofing by claiming
three browsers at once. At least they mention the real one now (Opera)
too but AFAIK it is a rather recent improvement.


It claims to be able to handle the content which it cannot handle: say
it cannot draw VML graphics, initialize ActiveX objects and use
behaviors. I understand that it is always possible to serve some
generic all-in-one script to sniff the real situation client-side and
act accordingly. But since when server-side content preparation became
an illegal technique? It is very often that the requested page doesn't
exists at all - but being prepared out of raw data per call.

Opera is quite unique in many ways in addition to spoofing user agents.
So far as I know, it does not use actual ActiveX (unless you add
unofficial plugins that float around from time to time), and Opera has
been very anti-ActiveX, at least in the past. Yet, for the last few
upgrades, Opera will run the WMP9 and 10 media player if you use only a
Microsoft ActiveX object to code for the media playing. I have no idea
what Opera is doing to get this to work - hopefully someone knows. Of
course there have been ActiveX plugins for the WMP only for Netscape,
Mozilla and Firefox in the past, but you had to download them, and the
mentioned browser writers tended to discourage this. The reason for an
ActiveX plugin for the WMP is that some only write for IE using an
ActiveX object and do not bother to write a path for most other
browsers that do not come with ActiveX.

Since I work with quite a bit of media, I have noted something else
interesting at the server of my host. You of course get records of the
user agent for visiting browsers. However these days you often get a
record of the visit of a player, such as the WMP, Real, etc. Actually
some of the modern media players are now running about 3 times the byte
size of a small browser such as Opera or Firefox. Part of this
complexity is due to inclusion of new features for selling and
protecting media.

 

[Lasse Reichstein Nielsen]

The latest Opera 8.54 default is
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; en) Opera 8.54
(with different OS and language of course for different users)

I presume it currently holds the record of spoofing by claiming
three browsers at once. At least they mention the real one now (Opera)
too but AFAIK it is a rather recent improvement.

I don't think so ... but let me check.
Yep, Opera 3.62 reports:
Mozilla/4.0 (Windows NT 5.1;US) Opera 3.62 [en]
i.e., spoofing Netscape 4 to the uninitated, but revealing itself to be
Opera to those who knows that it exists.

It claims to be able to handle the content which it cannot handle: say
it cannot draw VML graphics, initialize ActiveX objects and use
behaviors.

My IE can't initialize most ActiveX objects either.
Still, that should be handled by content negotiation, not feature
inference from the user-agent string. It wouldn't have been spoofed
to begin with, if people hadn't abused it.

I understand that it is always possible to serve some generic
all-in-one script to sniff the real situation client-side and act
accordingly. But since when server-side content preparation became
an illegal technique?

It never was ... but people refusing to serve content to a browser
that can understand it, just because they don't recognize its name,
have made the bed they now lie in (if that's an idiom in English).

/L

 

[Thomas 'PointedEars' Lahn]

Is there a troll convention going on in the UK this weekend .

If there was, most certainly you would be there, would you not?

Just look at the post history of some of the trolls responding to this
thread,

I can see only one, maybe two trolls here. Certainly they are not called
Richard, Michael, or Lasse, as those people are in fact invaluable
contributors to this newsgroup, who have made their points well.
While "cwdjrxyz" and the like are not at all, and they have not.

[...]
Since some [...] appear to have far too much free time, as
indicated by their many and often extremely long and rude posts
to this group and others [...]

This is a technical Usenet discussion group, its more serious contributors
trying to come up with (for some people hard) technical facts; not some
cuddle script-kiddie Web forum, its members telling you what you want to
hear, that you may be used to. If you can't stand the heat, stay out of
the kitchen.

<URL:http://jibbering.com/faq/>


Score adjusted

PointedEars

 

[VK]

It never was ... but people refusing to serve content to a browser
that can understand it, just because they don't recognize its name,
have made the bed they now lie in (if that's an idiom in English).

You've made the bad you sleep in it. Point taken.

 

[RobG]

Almost all other than Netscape 2-4.

IE6's user-agent string (on my computer) is:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)

The initial Mozilla/4.0 is a spoof of Netscape 4. The remaining data can
be used to discover that it actually isn't Netscape 4 by servers that
know what to look for, while those that don't know will be spoofed.
Most people have forgotten that this is how, and where, spoofing started

FireFox's is:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

It claims to be Mozilla/5.0, which it isn't. It's perhaps acceptable, since
it's in the general family of browsers reporting that name.

Safari on PowerPC is:

Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/XX (KHTML, like
Gecko) Safari/YY


And on Intel:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/XX (KHTML,
like Gecko) Safari/YY

<URL:http://developer.apple.com/internet/safari/faq.html#anchor2>


where XX and YY are appropriate version numbers. With the debug menu
enabled, it takes a second to change it to any of a number of strings,
including Netscape 4, 6, 7, IE 5 Mac, IE 6 Windows, even Konqueror 3.


There is still one site that, when I log in, reports:

"This site is not optimised for Netscape 6. We recommend
you use Microsoft Internet Explorer Version 6.0 or
Netscape 4.77 or 4.78."


I ignore the warning and everything works as expected.

Stumbled across this site that appears to have a fairly exhaustive list
of UA strings:

<URL:http://www.pgts.com.au/pgtsj/pgtsj0208c.html>

 

[cwdjrxyz]

The latest Opera 8.54 default is
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; en) Opera 8.54
(with different OS and language of course for different users)

I presume it currently holds the record of spoofing by claiming
three browsers at once. At least they mention the real one now (Opera)
too but AFAIK it is a rather recent improvement.

I don't think so ... but let me check.
Yep, Opera 3.62 reports:
Mozilla/4.0 (Windows NT 5.1;US) Opera 3.62 [en]
i.e., spoofing Netscape 4 to the uninitated, but revealing itself to be
Opera to those who knows that it exists.

I dug up several properties for Opera 7.21 from 2003 from some of my
backups. In case anyone needs the information for several other current
browsers in 2003, I can provide that also. The information was obtained
on a Windows XP OS.

______________________________________________________________________

Opera 7.21

appCodeName=Mozilla
appMinorVersion=
appName=Microsoft Internet Explorer
appVersion=4.0 (compatible; MSIE 6.0; Windows NT 5.1)
userAgent=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.21
[en]
vendor - NN6 up only=undefined
vendorSub - NN6 up only=undefined
document.all object support=true
getElementById object support=true
java support=true
Height=768
Width=1024
Available Height=738
Available Width=1024
Color Depth=32 bit
innerWidth=1022
innerHeight=584
clientHeight=584
clientWidth=1022
language for NN & Opera=en
language for IE & relatives=en
IE4 browser language or IE5 up op. sys.lang=en
Presistent cookies enabled?=true
CPU Class(IE4+)=undefined
On Line(IE4+)?=undefined
Operating System(NN6+)=undefined
Platform=Win32
Product Name(NN6+)=undefined
Product Version(NN6+)=undefined
Operating System Language(IE4+)=undefined
User Profile(IE3+)=undefined
document.body.clientWidth object support=true
document.body.clientHeight object support=true
document.body object support=true
window.innerHeight object support=true

_____________________________________________________________________

 

[VK]

Safari on PowerPC is:

Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/XX (KHTML, like
Gecko) Safari/YY

Wow! Opera is moved on the second place in the spoofing context.

Mozilla
KDE
Gecko
Safari

I just love this part: "like Gecko" - what a hell does it suppose to
mean? Almost but no sigars? That sustains my old idea that some UA
strings are being prepared under sever toxic influence.

Now if would be cool to see the Konqueror string. To become the winner
it should be now something like "(KHTML, like Safari) close to Gecko
almost MSIE".

 

[Lasse Reichstein Nielsen]

I just love this part: "like Gecko" - what a hell does it suppose to
mean? Almost but no sigars?

Most likely that some induhviduals out there are checking for the
occurence of the string "Gecko" in the user-agent string before
allowing browser to use their site. An again they got what they asked
for.

That sustains my old idea that some UA strings are being prepared
under sever toxic influence.

Hardly. There's a logic to it, although a quite twisted one. It's
cops an robbers - every time someone tries to use the user-agent
string inappropriately, the browser makers change it so that their
browser still matches.

/L

 

[VK]

After rethinking I agree with you that it is not stupid: I also think
that it is exact on the topic of this thread.
This is the same as say <http://www.microsoft.com> - try to use it for
anything but Microsoft, Inc. But just add "my" and it becomes your
private business right away: <http://www.mymicrosoft.com>
<http://www.coca-cola.com> -no way; <http://www.my-coca-cola.com> - my
way.

AppleWebKit/XX (KHTML, Gecko) - too dangerous
AppleWebKit/XX (KHTML, like Gecko) - so sue me

"like Gecko", "almost Firefox", even "not MSIE". Stincky- but so far
legally secure I guess.

Hardly. There's a logic to it, although a quite twisted one. It's
cops an robbers - every time someone tries to use the user-agent
string inappropriately, the browser makers change it so that their
browser still matches.

I would go for this logic if new browsers would be *exact* functional
equivalents of UA's they are spoofing. I mean they can have better
usability and as many extra features as they want: but the
functionality of the spoofed browser must be implemented in full and in
all details. But it is not this way: so far mostly these are narrowed
implementations with a set of their particular bugs and rendering
twists. Yet they want to be served by the same server-side content
prepared for much more capable UA: and if they chock on it (no
surprise) they propose to "Report brocken site". I may be biased but
something is wrong with this picture.

 

[Randy Webb]

VK said the following on 4/16/2006 4:27 PM:
Your quoting is incorrect, RobG nor you wrote the below, Lasse did.

I would go for this logic if new browsers would be *exact* functional
equivalents of UA's they are spoofing.

Stop trying to determine the UA and start testing for features and that
becomes a moot point, as any and all arguments about the validity of UA
strings are.

 

[Lasse Reichstein Nielsen]

I would go for this logic if new browsers would be *exact* functional
equivalents of UA's they are spoofing. I mean they can have better
usability and as many extra features as they want: but the
functionality of the spoofed browser must be implemented in full and in
all details.

If most pages required that, I could accept it as a requirement. But
pages that exclude browsers by browser detection are usually created
by people with less than perfect grasp of browser scripting. They
are likely to just use the same few features that everybody else on
the web are using, and that new browsers do support.

Think as a browser creator: If 100 pages exclude your browser, you
would rather spoof a browser that they include and have 90 of them
work perfectly and 10 of them break while running. It's better service
for your users (90 more pages that work), and users of non-IE browsers
are likely to, rightly, blame the page writer for errors anyway.

But it is not this way: so far mostly these are narrowed
implementations with a set of their particular bugs and rendering
twists.

Why should they be any different from the existing browsers (except
that they actually support the core W3C standards, unlike IE).

Everything on top of that is bonus features which should only be
used after detecting the feature, not just the browser.

Yet they want to be served by the same server-side content
prepared for much more capable UA: and if they chock on it (no
surprise) they propose to "Report brocken site". I may be biased but
something is wrong with this picture.

If you take Opera as an example, they always identify themselves as
Opera. Any page that still fails must be unaware of, or deliberatly
ignoring, that their page doesn't work. Reporting the page as broken
allows Opera Software to test if the page fails due to a bug in the
browser or due to being badly written. If the latter, they can contact
the site owner and report it (along with the message that at least on
Opera user wanted to use their site and couldn't).

/L

 

[VK]

Ref. Should UA string spoofing be treated as a trademark violation?

As a support for my point of view expressed in this thread, where Opera
was mentioned among the most "nasty offenders". Either they read this
and agreed on it, or they came to the same conclusion independently,
but:

<http://www.opera.com/docs/changelogs/windows/900b1/> (freshly listed
on opera.com):

Changelog : HTTP
....
Changed default UserAgent string to identify as Opera.
....

P.S. Now it's time to take care of Safari and Konqueror ;-)