Google and Mozilla are acting to help ensure minimal disruption for site owners
ANALYSIS Numerous issues were discovered with User-Agent parsing libraries as the major version number of web browsers went from one digit to two digits a decade ago.
Now that we are approaching version 100 in Chrome and Firefox, both Google and Mozilla are offering tools designed to give website developers an early warning about potential problems in handling three-digit versions of their respective browsers.
For example, a feature flag available from Chrome versions 96 to 99 enables early testing for possible issues when parsing a three-digit User-Agent string.
The optional feature will force the User-Agent string to present as version number 100, instead of the actual version number of the browser been used.
The induced behaviours will apply to both User-Agent request header and the JavaScript APIs, as Google explains in a blog post.
Turn of the century
The latest stable versions of widely used web browsers are: Google Chrome 97, Mozilla Firefox 96, Microsoft Edge 97, Opera 82, and Apple Safari 15.
With the triple-digit change looming, Google has established a test microsite – dubbed Is Chrome 100 yet? – to check if a browser is sending the major version 100 in the User-Agent string.
The browser maker is also encouraging website developers to send in bug reports they encounter in preparing for the upcoming version number change.
Mozilla – whose Firefox browser is due to hit the version 100 threshold in May – has also been testing the waters by offering developers the chance to tweak the User-Agent string.
These experiments have thrown up few issues so far, Mozilla told The Daily Swig:
Since June 2021, we’ve been running an experiment in Firefox’s Nightly release channel where 50% of Firefox Nightly users have a User-Agent string with version 100. Throughout this experiment, we wanted to hear from our users their experience and report broken websites on Mozilla’s webcompat.com website. To date, we’ve had fewer than 30 websites reported as broken by version 100.
Firefox’s 100 release is scheduled for May 3, 2022. To help prepare developers, Mozilla is planning a blog post on the topic later this month that will explain how to test websites for version 100 compatibility alongside plans to offer a safety net, of sorts.
Catch up on the latest browser security news and analysis
A Mozilla spokesperson explained: “After Firefox 100 release… If some websites are still broken, we have the ability to override the User-Agent string for individual websites. Firefox can pretend to be version 99 for those websites until they are fixed.”
Y2K repeat unlikely
This is no looming Millennium Bug-style event – the feared computer problems related to the storage of calendar data for dates in and after the year 2000.
Third-party browser security experts expect the transition to using version 100 and above to run smoothly without requiring much work beforehand.
PortSwigger security researcher Gareth Heyes commented that handling browser User-Agent strings of 100 and above is “only likely to be an issue with legacy badly written code”.
Heyes explained: “For example, a site might have a bad regex that detects the browser and version and if it’s not within the range 0-99 it might redirect you or display a message ‘Please use a modern browser’. This might cause a user unable to use a site without altering the site's code or changing their User-Agent string.”
YOU MAY ALSO LIKE Apache Software Foundation warns its patching efforts are being undercut by use of end-of-life software
