Testers Say IE 11 Can Impersonate Firefox Via User Agent String

Billly Gates writes "With the new leaked videos and screenshots of Windows Blue released, IE 11 is also included. IE 10 just came out weeks ago for Windows 7 users and Microsoft is more determined than ever to prevent IE from becoming irrelevant as Firefox and Chrome scream past it by also including a faster release schedule. A few beta testers reported that IE 11 changed its user agent string from MSIE to IE with the 'like gecko' command included. Microsoft may be doing this to stop web developers stop feeding broken IE 6-8 code and refusing to serve HTML 5/CSS 3 whenever it detects MSIE in its user agent string. Unfortunately this will break many business apps that are tied to ancient and specific version of IE. Will this cause more hours of work for web developers? Or does IE10+ really act like Chrome or Firefox and this will finally end the hell of custom CSS tricks?"

Hmmm

[BrokenHalo]

Unfortunately this will break many business apps that are tied to ancient and specific version of IE. Will this cause more hours of work for web developers?

Too bad if it does. Their excuses wore out long ago.

Re:Hmmm

[pspahn]

...they're gonna suffer because of MS and they don't deserve that.

Suffer? This just creates more billable hours. I'm not sure what line of work you're in, but the phrase "more work for you" isn't exactly a bad thing (as long as it's paid for!)

Re:Hmmm

[rudy_wayne]

The main culprits I've seen which do this are telephone system providers (Mitel/iPecs etc).

  The issue being that people are very touchy about updating telephony software, primarily following the old adage, "if it ain't broke don't fix it".

The problem is that it is IS broken.

Re:Hmmm

[mwvdlee]

Spoken like a true soulless manager.
If you go and "spraypaint" the wall of your company's toilets, it's "more work for the cleaners" too.
Think they'll be happy with those extra billable hours? I'm sure their managers are.

Re:Hmmm

[rwa2]

Heh, all they had to do was offer IE6 in a VM to allow all the businesses and government organizations to still run all of the old crappy homegrown locked-in apps to run. Those apps aren't going away (a lot are there to meet contractual/legal obligations and aren't trivial to redevelop / recertify).

Re:Hmmm

[pspahn]

Acutally, yeah, I manage the entire team here at my office... at home... consisting of myself... and, oh wait it's just me.

You can either bitch and moan about corporate lack of vision (or bureaucratic weight, or whatever you want to call it) or you can knuckle down and fix the shit they pile on everyone else's plate... and get paid for it.

I prefer to be the guy people can call when they want someone else's shitty mess fixed, rather than be known as the 'unapproachable tech guy'.

I've spraypainted nothing... But if someone wants to pay me to come clean it up, I have a contact form I can direct them to.

Re: Hmmm

I hate to be the one to tell you this, but your boss sounds like a total opportunistic douche.

Re:Hmmm

[YeeHaW_Jelte]

Yes that is all they have to do and surprise, surprise, they do it:

http://www.microsoft.com/en-us/download/details.aspx?id=11575

Re:Hmmm

[jimicus]

Too bad if it does. Their excuses wore out long ago.

They did, but business apps that are tied to specific versions of IE are endemic and quite often it's not as simple as paying money and getting the software updated. We're not talking one or two apps here that need updating; we're talking hundreds if not thousands of applications, some of which quite clearly haven't had any major UI work done in five or ten years.

In the last fortnight, I've seen - and this is in just one small business:

  - A web app that requires a specific ActiveX plugin to print - evidently a stylesheet for printing or even generating a PDF is too difficult. This plugin only works on 32-bit versions of IE; under 64-bit versions the plugin installer silently fails to work. (The plugin developer does have a 64-bit version available, but it's commercial software. You can't just download a 64-bit version from the developer's website yourself).
    - This web app is provided for franchisees by their franchisor. (I won't name the franchise, but I guarantee you've heard of it). As with any franchise-type arrangement, the franchisee can ask their franchisor nicely but cannot force anything - and in this case, the franchisee simply cannot say "In that case I won't use your tool; I'll find something else to do the same job", using it is a condition of the franchise.
  - Several web apps that require you to explicitly click the "broken mode" button in IE - they're generating IE6-only HTML when IE is used but IE isn't detecting this and automatically downgrading.
    - Quite often these apps will work just fine with Chrome, Firefox et al. It looks like they're detecting an IE User-Agent string and generating IE-6 specific HTML rather than checking the IE version.
    - These apps are provided by a third-party and you have to use them otherwise you can't do business with that third party. The business itself doesn't care about your idealistic attitude that IE-dependant websites must die; they need to meet payroll this month and one of the ways they do this is by working with various third parties.
  - Web applications that quite simply do not function in anything but Internet Explorer in any form, no matter what you do with your user-agent string. You'd be amazed (and faintly disturbed) how many project managers read as far as "no need to deploy your own client app" when first considering web development and didn't get the bit about "with careful development, client platform independent".
      - Much of this is actually Microsoft's own doing - they purposely encouraged this sort of behaviour back in the days of IE6.

Re:Hmmm

[rudy_wayne]

Those apps aren't going away (a lot are there to meet contractual/legal obligations and aren't trivial to redevelop / recertify)

I have no sympathy for companies that used bad software. They're in their position because of bad business decisions in the first place.

Unfortunately, it's not that simple.

Browsers and the World Wide Web in general didn't just suddenly appear one day, fully formed with a complete set of perfect specifications and standards. They evolved slowly over time. And while everything was evolving, and while everyone was trying to figure out exactly what those web standards should be, the rest of the world wasn't standing still. Billions of web pages were being created, based on whatever shitty browsers and standards existed at the time.

For a long time, it didn't matter what "standards" there were. Internet Explorer *WAS* the standard, because it was the only major browser -- there was no Firefox or Chrome -- and so that's how web pages were designed. Then when things changed, when there was competition among browsers and more emphasis on adhering to standards, there was a problem. There were all these billions of web pages and applications based on old shitty browsers. Suddenly businesses had all this stuff that worked perfectly fine in IE6 but broke horribly with any other browser. It's easy to make fun of their "lack of foresight" but back when IE6 was the only browser from a big well known company, people had no way of knowing that things were going to change tremendously in just a few years.

And so browser developers were forced to resort to all sorts of hacks and kludges to make sure that their browser properly rendered all those shitty poor designed web pages. Sure you could design a browser that refused to display all those improperly coded pages. (Hey, remember "Strict HTML"?) And you would watch usage of your browser drop to zero. When the average person goes to a page that does not display properly how many of them think "this page wasn't designed properly" versus "there's something wrong with my browser".

Re:Hmmm

[YeeHaW_Jelte]

Too lazy to follow the link?

It's a virtual machine, works perfectly fine on VirtualBox and thus on Linux and OSx.

Re:Hmmm

[MightyYar]

Dung shui?

Re:Hmmm

This makes the assumption that the money would be spent on something else when the true objective of the game is to hoard as much as possible.

Re:Hmmm

[AmiMoJo]

Actually MS offer a compatibility mode in IE that runs the old IE6 engine in a sandbox. You can create a whitelist of sites thatwill auautomatically use it. No need for a VM.

Re:Hmmm

[Ash+Vince]

Browsers and the World Wide Web in general didn't just suddenly appear one day, fully formed with a complete set of perfect specifications and standards. They evolved slowly over time. And while everything was evolving, and while everyone was trying to figure out exactly what those web standards should be, the rest of the world wasn't standing still. Billions of web pages were being created, based on whatever shitty browsers and standards existed at the time.

For a long time, it didn't matter what "standards" there were. Internet Explorer *WAS* the standard, because it was the only major browser -- there was no Firefox or Chrome -- and so that's how web pages were designed.

Exactly.

I used to work from 2002 to 2005 as a web developer for a company who mostly contracted to graphic designers. At the time they expected to things to work on IE5 (the Mac version of course). They did not really care about Firefox (although it did exist then, but with zero non-techy users).

I threw together god knows how many sites in the 2-3 years I worked at that company. All we did was offer the client a choice: If they wanted firefox support, they paid extra. Almost nobody bothered. We were a budget development house so our margins would not support the extra work of supporting all the IE hacks needed and the more W3C firefox unless the client paid extra. They all required the sites to work perfectly in IE though obviously.

I tried to make sites work in Firefox just out of a sense of professionalism on a few occasions but the problem is that then you appeared to have a far slower work rate than the rest of the team who took the IE only short cut they were told to by the technical manager. He was also a developer, director of the company and joint owner so he made an informed decision not to support anything other than IE from technical perspective and was able to see if you were ignoring it. If you ignored it that was fine, but you still had to keep up with the other devs simply by putting in overtime.

It only took other browser to get a market share above 5% - 10% for things other than IE5 / IE6 under Windows and suddenly clients were interested in supporting other browsers. In 2002 - 2004 though IE was so dominant that nobody cared about anything else in the real world as only geeks bothered to change their browser. Making things IE only remained common place in commercial web development right up to 2005 - 2006.

http://en.wikipedia.org/wiki/Usage_share_of_web_browsers

I remember having to spoof using IE under Linux in order to access my online banking (from HSBC) as they considered all other browser to be too insecure :)

Re:Hmmm

[Bacon+Bits]

The main culprits I've seen which do this are telephone system providers (Mitel/iPecs etc).

  The issue being that people are very touchy about updating telephony software, primarily following the old adage, "if it ain't broke don't fix it".

The problem is that it is IS broken.

There's a significant difference between "broken" meaning "functions in an anachronistic or extremely sub-optimal fashion" and "broken" meaning "complete loss of function". If you've got the latter, you'd gladly take the former.

This is why people tend to dislike new technology when it completely replaces an existing old system rather than complimenting it or existing along side it. Systems don't survive to be old if they don't meet the needs of the people who use them, and almost any new system will have some period of time where the new system does not meet their needs.

Re:Hmmm

[jc42]

Suffer? This just creates more billable hours. I'm not sure what line of work you're in, but the phrase "more work for you" isn't exactly a bad thing (as long as it's paid for!)

In economics circles, this would be considered a case of the "Broken Window Fallacy". That's the term for the belief that descructive acts (e.g., breaking windows) adds to the economy because it creates sales of replacement parts and employment for the workers that fix the damage. This is wrong, of course, because it doesn't add to the total wealth; it only shuffles money around while decreasing the total wealth. Time spent repairing damage is time lost that could have been used to create new stuff.

The concept applies in the software business, too. Real social wealth is created when someone builds software that delivers useful new capabilities. The Web as a whole is a good example of this. But software that simply does something in an incompatible way doesn't add to wealth; it merely increases the labor required to do a given job. That's a reversal of the usual "wealth" benefit of computing, which is based on the idea of replacing human labor with the activity of mechanical gadgetry, freeing human time to do more interesting things.

Unfortunately, we have a lot of history saying that people easily fall for the Broken Window Fallacy in most of its forms. In particular, manufacturers routinely "innovate" by intentionally making things that aren't quite compatible with their competitors' equipment. This is a serious drag on advances in the "Human Condition", since it's invariably a sinkhole of human time, trying to deal with the messiness and unpredictability of all the incompatibilities. We have adopted computers because they've freed up our time, not because we want to spend more time doing things that could be done quickly.

Microsoft has a well-understood history of throwing monkey wrenches into the machinery (to use another form of the metaphor), but they're far from the only ones. Pretty much any corporation with the economic clout will do the same thing, as they attempt to lock customers into their brands.

Re:Hmmm

[jc42]

spoof the user agent back to MSIE

So that the served content is for IE6-8 ... [which doesn't work with IE11]

Part of the fun here is that IE has "spoofed" FF and the other Mozilla browsers all along, by including "Mozilla" in most forms of its User-Agent string. I see this all the time, when I test my web sites against various versions of IE. This has always been a minor problem for web developers, since it's easy for software to misunderstand such things. You might think you've got a test that successfully distinguishes real Mozilla-type browsers from IE, but then MS releases a version with a tweaked User-Agent string that your RE doesn't parse quite right, and your code sends the wrong style of HTML to the browser.

I've occasionally wondered why the Mozilla gang hasn't charged MS with trademark infringement for such monkey-wrench tactics. After all, if I were to start providing a browser whose default User-Agent string included the "MSIE" token, MS's lawyers would be all over me. But they use their main competitor's brand name with impunity. If the Mozilla crowd weren't such nice guys as to allow this, life might be a bit easy for web developers everywhere.

Actually, quite a lot of browsers provide a list of User-Agent strings, and let a user choose one. This is probably legal, and is occasionally useful, especially to developers. But it's annoying and a waste of developers' time when vendors are allowed to install a lying User-Agent string as the default. It would improve matters for a lot of us it this were legally considered consumer fraud, trademark infringement, or whatever other legal terms apply.

Re:Hmmm

[Sloppy]

The Broken Window Fallacy represents an overall systemic loss, but that doesn't mean there can't be localized gains. They're just gains at someone else's expense. It harms the economy to go around breaking windows, but it really can benefit someone to go around doing that. That's why "defense" contractors love war. The construction industry probably loves hurricanes. Acknowledging or advocating these localized gains doesn't mean someone fell for the Broken Window Fallacy; it merely means they might be vampiric parasitic assholes.

Re:Hmmm

[Acaeris]

The Mozilla tag in most UAs is a compatibility tag for the Mozilla rendering engine and in the case of IE, is a leftover from it's fight against Netscape. So in reality, it's never spoofed Firefox. Everything just spoofs Netscape.

Really?

[lesincompetent]

I Say Firefox Can Impersonate IE11 Via User Agent String.

Amazing how it can boomerang

Microsoft thought they could subvert the web by creating their own standards, and it worked for awhile, and now that same strategy ended up biting their own behinds. I'm enjoying this popcorn. It has Karma written in the container.

Headline and Summary Mismatch

[Internal+Modem]

Wouldn't a better headline be "IE 11 user agent string changes from MSIE to IE," since most of the summary is about that?
The headline isn't even discussed in the summary.
However, it's obvious the standard ability of browsers to report a different user agent for dev and testing has been sensationalized here just for click generation.

You don't say!

[T-Bone-T]

Business apps designed specifically for IE6 might not work with IE11? I'm shocked! That's terrible! What is this world coming to? Or should I say, to what is this world coming?(don't answer that)

Sigh

[ledow]

The day that the first website was able to detect what client was being used to view it, we were in trouble.

Whether it was people trying to "fix" ancient Opera (and still some sites had such tests until very recently), people telling you what browser to use (i.e. not accepting Netscape / IE of certain versions - I still know of a UK bank that stops you logging in as certain browsers, but fake the user agent string and it works 100%), or just plain faffing about (i.e. iPlayer detecting the user-agent to see if it's "allowed" to download the iPad streams, etc.).

The day that you were able to tell what someone was running and make a decision based on that, we basically lost the point of a standard. If someone has a client that can't render a standard page, then that's their problem and we should have left them to it - eventually they would have complained to the relevant person and their browser would become closer to the standard. We would also have killed off abominations like non-standard HTML tags and everything else.

If you have CSS, in this day and age, that does detection of the user-agent, then that's your problem - you manage it and if it ever affects my usage of it, I'll be complaining and going elsewhere. If you have a browser that can't change the user-agent at will and still work, then that's a crap browser (purely because the user should be in control of the website they are displaying and not the other way around). Precisely because we're all too stupid to just make browsers and websites conform to a common standard.

Personally, I use Opera - have done for nearly a decade now. If it doesn't work in Opera, I move on and go somewhere else. The number of times it's stopped me doing something I wanted is vanishingly small (probably 4-5 incidents in all that time), and I've blamed the website every time - not Opera (because in every instance, faking the user-agent to something else has fixed the problem, so it's not the browser). It's cost several small companies my custom (not that they would be able to tell, or care).

Fact is, my life is too short to play games with accessing your website. If I can't, I move on. End of. I've even moved my bank accounts because of it (NatWest, in the UK, had a website that refused to work with anything but ancient versions of IE or Netscape - yes, it actually said Netscape even in the era of Firefox - and they refused to fix it "for security reasons", so I moved on. Presumably they've fixed it now, but I don't really care because the damage was done by not being able to log into it at my convenience).

You have a website because you want people to come to it and see your content. Hiding that content, because you don't know how to properly display it, is so counter-productive, I can't even begin to explain it. If the fancy shit you're pulling messed up my browser (which conforms to all the ACID tests and general compatibility with EVERY OTHER SITE on the planet), maybe you should take that fancy shit off?

Re:Sigh

[Xugumad]

> The day that you were able to tell what someone was running and make a decision based on that, we basically lost the point of a standard

Well, sort of. If the browser gets the standard wrong, and the options are:

1. It doesn't work for that browser.
2. Degrading the result for everyone.
3. Implementing a browser-specific work-around.

Which would you really prefer? Yes, user agent testing is heavily mis-used, but it's not the terrible idea it's made out to be.

I'll give you a specific example; we had an issue with file uploads with Safari over SSL. For some reason if the connection was kept alive, Safari would frequently start uploading the file but never complete. The work-around was to force connection close for Safari; it wasn't perfect, but it massively reduced the frequency with which the issue appeared.

Re:Sigh

[ledow]

"I'm sorry, your car doesn't have a standardised fuel cap. Is the fix to:

1) make your car have a standard fuel cap?
2) force everyone to use your new fuel cap ?
3) make pumps sense by the numberplate which model of car they are filling up and change the fuel cap to the right one each time?"

Whatever option you choose, 3) is really incredibly stupid and puts the onus on fuel stations to make the changes rather than the idiot that wanted to be different for no good reason. It might be *A* solution, but *THE* solution is to just look at the guy who can't fuel up their car with a "You pillock" look until they realise they've bought a turkey - and then let Ford / GM / whoever supply an adaptor to him rather than you having to carry 20 adaptors for all the different types of fuel cap there are.

All you've done is encourage Safari to be the exception to the rule, with a broken implementation that now doesn't have to be fixed (because you "fixed it" for them on your end).

By way of analogy, if - say - a browser can't upload more than a 2Gb file, then you're choosing to detect the browser that can't, chop the file up into little bits just for them, and pass it on. You're fixing their crappy browser for them, so you have to take all the burden for their mistakes. That's just not sensible compared to say "Sorry, you're browser is crap and can't handle downloads the size of your average DVD from 5 years ago. Maybe you should investigate alternatives."

Re:Sigh

[twdorris]

If someone has a client that can't render a standard page, then that's their problem and we should have left them to it - eventually they would have complained to the relevant person and their browser would become closer to the standard.

Are you new here? You may not remember the days when this mess all started. IE was king and you *had* to work around it. You couldn't just let it be "their problem" and "left them to it". That's so "counter-productive, I can't even begin to explain it". These customers (sheep running IE) would come to *you* in droves asking why they couldn't view your website. And your response was going to be "because IE doesn't display my standards-compliant page"? Wow...no...that doesn't work.

Nowadays, things are clearly different. Which is great. But to suggest developers should have never used the user-agent tag to distinguish browser differences is ludicrous.

Parsing user agent strings = bad.

[danhuby]

I've been developing web applications full time since 1996 and I've never once had to resort to browser detection via user agent strings. It's just bad practice.

The fact that some people have been doing this has led to the very convoluted user agent strings we see today, rather than a simple description of the browser / rendering engine and version.

It's perfectly possible to write code that works cross-browser without having to detect browsers via user agent strings. The closest I've come to any sort of browser specific code is occasionally including IE specific CSS to work around IE bugs, but this included in an IE specific way and is ignored by other browsers.

A browser vendor should be able to put whatever they like in the user agent string, and if that breaks a web site or application, then so be it. It's the fault of the developer for making assumptions.

Bork Bork

[TheP4st]

Back in 2003 msn.com deliberately sent Opera a faulty style sheet that broke the page, in response and to make a point Opera released a Bork version of their browser that turned msn.com into Swedish Chef talk. http://news.cnet.com/2100-1023-984632.html

Karma is a Bitch.

Re:Bork Bork

[Kjella]

Back in 2003 msn.com deliberately sent Opera a faulty style sheet that broke the page, in response and to make a point Opera released a Bork version of their browser that turned msn.com into Swedish Chef talk. http://news.cnet.com/2100-1023-984632.html

Of course the actual story is that Opera had a bug which that style sheet worked around, when they fixed it in a new version the page looked broken because they still got the modified style sheet. So yes it was deliberate but not malicious, in fact someone had made extra effort to make it work on Opera however the PR opportunity was far too good for Opera to pass up. That's one problem with browser-based hacks, if you're not around to maintain them should you assume the next version of IE will be 100% standards compliant or that most the IE6 hacks would also be required for IE7. It wasn't as obvious as you'd think, to the clients it looked like your site was incredibly fragile when it broke horribly on any new browser version. Those were dark days, long before real standards compliance.