[matheusmoreira]

Excellent. Sites shouldn't know what user agent we're using anyway. Pretty much the only thing they use this for is to lock us out when we use "unsupported" browsers. The less information they get, the better. Hopefully they'll get rid of referrer too and weaken fingerprinting methods.

I have no doubt Google has self-serving motivations here but the result is still a win for us. I wish Firefox had enough leverage to force decisions like this down people's throats whether they like it or not but it just ain't so. Reality is imperfect so I'll take what I can get.

[sanderjd]

Yeah I tend to agree here... It really seems like none of the server's business what agent I'm using.

[matheusmoreira]

Yup. It's none of their business. They can't discriminate against us if they don't know anything about us.

[Fordec]

Can't trust you either. Are you a bot? Well it's good to assume you are by default, since it's the majority of internet traffic anyway. And for your privacy, you're not exactly forthcoming with data to now prove otherwise.

So sorry, until you pay with a unique individual bank account to prove identity, you can't post on future social media sites. You are a bot after all.

[matheusmoreira]

Even if I was a bot, what of it? Your site should serve bots just as well as it serves humans. Only people who care about that are those who want to monetize our eyeballs by selling our attention to the highest bidder.

If it's costing you money, have your HTTP server return 402 Payment Required instead of the free page. That's how it should be.

[Fordec]

There are vast reasons to prevent brigading, false information, information manipulation and any other number of malicious inputs that otherwise in a forum for people require trust to maintain community quality. Even for free reasons, especially say nice interest groups like one I used to be on for small satellites that got destroyed by uncontrolled bot spam.

I do not agree that every piece of the internet "should be" behind a paywall because bad actors exist. That world is the literal death of the "open" internet, putting everything behind a paywall.

[matheusmoreira]

> prevent brigading

Not something that should be prevented.

> false information, information manipulation

Not something any one person should be the arbiter of.

> and any other number of malicious inputs that otherwise in a forum for people require trust to maintain community quality

Trust is how you solve this. Forums shouldn't be letting randoms sign up and post. Just like we developers don't let randoms commit to our git repositories.

But they want that mass market appeal, don't they? They want everyone to have input access, to be able to comment and participate. Usually because they're pushing ads and the more eyeballs the better. They're hopelessly dependent on "engagement".

> That world is the literal death of the "open" internet.

Not really. It might mean the death of the "free" internet but not the "open" one. The open internet is the one where we get to use whatever software we want to interoperate without restriction. It's the one where we get to use a Python script to scrape your site if we wish to do so. It's the one where we get to download videos with yt-dlp.

[technion]

I've always advocated for feature detection. If you test for typeof Object.assign !== 'function' you can be sure you have a reasonably recent browser. If you want fetch, test for window.fetch.

This sort of thing always feels like it's going against the grain, with someone always asking "why wouldn't you do this properly. You know, build an allow list of user agents and match against them". I fully support people being forced into detecting the features they want and doing away with this nonsense,

[matheusmoreira]

I don't think web developers should be able to detect stuff like that either. Their ability to detect stuff provides identifying bits for fingerprinting. As far as I'm concerned, all the browsers should normalize the return values of those typeofs and all related functions so that Javascript can figure out exactly zero bits of information about the environment it's running on. Just like browsers will lie to Javascript when it tries to figure out your browsing history by checking the color of links.

The web platform gave web developers way too much freedom and they're abusing it. God giveth and god taketh away.

[Groxx]

There's simply no way that can ever be built though. "Browser v2 provides X which will call argument 1 in 2 seconds" -> how would browser v1 possibly hide that it is not v2? Anyone can build a thing that checks for that behavior, and now you have a piece of information.

Or for more useful stuff, "X gets you data from URL Y". Either you get that data or you don't. Voila, data about the browser.

The only alternative is that you never ever release any new features or fix any bugs.

[matheusmoreira]

How does cryptography software avoid such side channels? Normalize the performance somehow.

If I remember correctly, Firefox's fingerprinting resistance will actually slow down functionality to achieve that. Reduces the precision of performance timers or something. Makes CAPTCHAs exponentially more obnoxious.

[Groxx]

It hides that by being incredibly restricted in what you can do with it, lest you leak side channel information. To the point that you can't do much of anything useful, much less general computation. They're finely crafted Faberge eggs that break if you sneeze near them now or discover a new way of sneezing in the next few decades, not broad tools.

So... yes, you could build a "browser" like that. It would effectively have no scripting at all though, nor could it ever introduce new semantics that send data to another site, directly or transitively. You can do some stuff with that kind of system, but it's limited enough that most people don't choose it.

Gopher exists I guess? Lynx too, though lynx supports css, and that largely can't be allowed either.

[matheusmoreira]

Sounds good to me. Javascript is too powerful and should be limited. I shouldn't have to worry that my browser is executing remotely downloaded code that could exfiltrate an unbounded amount of information about me. They should either they get it right by doing it in a way that doesn't harm us, or they shouldn't get to do it at all.

The web should be fully declarative and permissions/capabilities based. If they can't do something that way, they shouldn't get to do it at all.

[raincole]

> Feature detection is too much power for developers

- People on HN.

[matheusmoreira]

Yes, it is too much power for them. Power which they abuse by fingerprinting us. Browser vendors agree with me: they reduced the power of developers by lying to Javascript when they tried to check link styles.

Do you think otherwise?

[raincole]

A. Test for window.fetch.

B. Check if a link is visited.

Whether these two even remotely fall into the same category is left as an exercise for readers.

[matheusmoreira]

A. Provides bits of identifying information.

B. Provides bits of identifying information.

To me it seems they're in the exact same category.

[technion]

Using an Abortcontroller with fetch for example is only recently supported. I like to use it where I can, but I don't want to crash on a slightly older browser. Feature detection is absolutely practically useful.

[matheusmoreira]

I have no doubt that it's useful. My point is it enables abuse towards us and that the potential for abuse overrides the utility.

Road to hell is paved with good intentions. When you propose a law, you must also think about the numberless ways it could be abused and misused to cause harm. Same principle applies here. The code shouldn't just fail, it should fail in ways that prevent the developer from even knowing it failed much less why. Simply because that would leak information.

[SoftTalker]

There are plugins for Firefox that can make the user agent string anything you want.

[matheusmoreira]

It doesn't matter. Actually those plugins are straight up counterproductive.

The best user agent is the one that offers them the fewest identifying bits. In other words, the user agent of the most popular version of Chrome. The ability to set it to "anything we want" is actually a trap. What we really want is for everyone to use the exact same user agent so they can't tell us apart.

If everyone has the same user agent, it's nothing but a waste of bandwidth and it should be removed. Google is actually achieving our objective here.

[SoftTalker]

Well yeah, they have a pre-configured set of choices, e.g. "Chrome on Windows" but you can do something custom too, if you want.

[eru]

Firefox has plugins to set your user agent to Chrome.

[matheusmoreira]

Pointless. Firefox should just pretend to be Chrome by default without the user having to install plugins or even do literally anything. As should all the other browsers. Anything that leaks out the fact it's not Chrome should be considered a bug and fixed.