NFN Smith wrote:
David H. Durgee wrote:
It tells me > Firefox 60 on Windows 10
✗ Your web browser is out of date
Out of date web browsers can have security problems and may cause
websites to not work properly.
You have version 60, why not upgrade to 86?
Well, Firefox 60 is out of date. The current version is 86 and the
ESR version is 78.something.something.
The only site I have to switch user agents for at present is Chase,
and they accept Firefox 68 there. In general I believe it best to
stay as close to reality as possible, as a site might attempt to use
features
only implemented in later releases if it thinks they are available.
Chase is long known to be especially unfriendly to Seamonkey, but where
spoofing is generally enough to get around problems. Although rejection
errors are often phrased as "outdated" and imply that older versions of
Firefox may not have sufficient capacity, most of the time, the only
thing compelling about newer versions of Firefox is fixes of security
holes. However, with Firefox, virtually every x.0.0 release has
security fixes, often holes introduced within the last one or two
release cycles. Thus, I don't believe that any site will reject a
connection that shows Firefox 78 (implied, 78 ESR), even if there are
security fixes for each version since 78, all the way up to the current
86.0. Thus, I believe concerns about security holes to be mostly
overblown.
I've noted before that the most frequent places I see objections to
Seamonkey (and older Firefox UA strings) tends to be at financial
institutions, and where their objections to Seamonkey mostly come from
their unwillingness to invest any effort other than stock Firefox (and I
suspect that there's a growing number that would ignore Firefox entirely
and standardize on Chrome, if they could get away with it). Chase is
merely one of the most aggressive out there.
I know that one of the things that drives UA sniffing is server
scripting. With NoScript active, I've found that I less frequently get
barks about aged or unsupported browsers (as well as things like EU
cookie warnings). However, for sites that require logins, it's frequent
that User Agent sniffing is done by scripting from the same servers that
are used to process login credentials. Therefore, if you block the
particular scripting host, you won't get UA complaints, but you can't
log in, either.
Not all UA handling relies on scripting. On my own server, I do
filtering of UA settings through the server's .htaccess file, as a way
of defending against bot activity. Besides stuff that's obvious
(never-valid versions, and UA strings with syntax errors) I generally
use .htaccess rules to reject really old versions (e.g. IE versions
before 11, Chrome versions before 70, etc.) because a connection showing
those UAs is far more likely to be a bot than a live user. But if
connection is rejected that way, the user merely gets a 403 error
("Access Denied". The only way it's possible to display a plea/demand
for an acceptable browser is via scripting.
To my knowledge, other Mozilla-derived browsers that use the same syntax
of UA strings (particularly PaleMoon and Waterfox) tend to have the same
issues that we Seamonkey users do, although I haven't examined
extensively. And for some reason, sites tend not to complain about
non-Google Chromium browsers, such as Opera, Iron or Brave.
All that said, if you're resorting to spoofing, there's nothing that
*requires* using a valid UA string. If a site is simply looking for a
particular version, it's common that they're not looking for anything
else. I haven't tried it, and handling likely varies from site to site,
but a lot of the time, I don't see a reason why you can't spoof, showing
something like:
Mozilla/5.0 (X11; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0
SeaMonkey/2.53.7
This one happens to be a Linux string and the most current version of
Firefox, but I think that most sites don't really care what platform
you're showing. Most of the time, they're merely looking for a minimum
version of Firefox that follows the slash. Some may pay attention to
"Seamonkey" following "Firefox", but few do. And in my experience, what
you show following rv: is irrelevant. Notice that I've also rendered
Seamonkey as 2.53.7 (which is still beta), but I don't think that really
matters, either.
If you want to do it with Windows (and with Firefox ESR) you can use:
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
Firefox/78.0 SeaMonkey/2.53.7
One additional consideration of spoofing is that if you resort to this
kind of thing, it very clearly identifies you, and pretty much uniquely.
If you're sensitive to that kind of tracking, your best bet would be
to stay under the radar, and show just string from Firefox 78 ESR:
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
Firefox/78.0
With Seamonkey, remember also that UA spoofing applies also to the
User-agent: header used in mail. Thus, for the message that I'm
replying to posted by David Durgee, my use of the dispMUA extension
shows an orange Firefox logo, meaning that when he posted the message,
he was spoofing a Linux version of Firefox 60. That's not necessarily a
problem, but I will note that for somebody that's paying attention, an
email message that was composed with a browser is odd. Because I do
spoofing myself (and occasionally forget to remove spoofing before
sending email), I know that when I see a message showing a browser UA,
it's because the sender was doing spoofing.
Actually not spoofing other than Chase, I simply have the preference set
to identify as Firefox under HTTP Networking. Perhaps that preference
should be ignored in the news/mail component of SeaMonkey.
Dave
_______________________________________________
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey