I have just received a complaint from a legitimate user that they were refused access to one of my hosted sites. The UA string, below, was sent with a reasonable header except for HTTP/1.0, which I think was the actual cause of blocking.
To ensure future accesses I need to update for the MSIE 11 string but that's trivial. The HTTP protocol is worrying. Does anyone else have experience of this UA and it's HTTP/1.0-1 protocol?
User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
By default, Internet Explorer 11 on Windows 8.1 sends the following User-Agent string:
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
This string is deliberately designed to cause most UA-string sniffing logic to interpret it either Gecko or WebKit. This design choice was a careful one—the IE team tested many UA string variants to find out which would cause the majority of sites to “just work” for IE11 users.
It goes on to discuss adding such things as .NET4.0E; .NET4.0C; into the UA between the Trident identifier and the rv version. Thus the actual UA is still similar to the old one in some respects. There is also the Compatibility mode which removes the new syntax and reverts to the old one, so one can never really be sure what to expect.
The sniffing referred to is .NET's means of returning the correct web site content. It has nothing to do with real life UA detection. With respect to MS, they might have considered a better method than tacking "like gecko" onto the end of the UA in such a cavalier fashion instead of implementing it properly, as other browsers do.
I wonder how this user (or any other!) managed to send the default UA rather than the .NET version, given that all MS operating systems, as far as I know, include .NET stuff.
I wonder how long before the first abusers cotton on to this UA?
[edited by: incrediBILL at 9:07 pm (utc) on Feb 22, 2014] [edit reason] formatting and linking [/edit]