NEW273733
[GLib] User-agent validation is too strict 
https://bugs.webkit.org/show_bug.cgi?id=273733
Summary [GLib] User-agent validation is too strict
Philippe Normand
Reported 2024-05-04 03:22:00 PDT
I understand some validation is needed (for libsoup), but checking RFC 7231 section 5 compliance appears to be something unique to our ports. Why? I was made aware some Tizen TVs use this "Mozilla/5.0 (SMART-TV; LINUX; Tizen 6.0) AppleWebKit/537.36 (KHTML, like Gecko) 76.0.3809.146/6.0 TV Safari/537.36 Oqee/SmartTV/1.0.138-1/Samsung/Tizen/6.0/UE50AU7105KXXC" which is not valid according to RFC 7231 but I had no trouble using that UA in other browsers (Chromium, Firefox). So can we relax this a bit please, making use there is no invalid characters or carriage return should be sufficient imho.
Attachments
Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2024-05-04 05:36:07 PDT
What's the benefit of allowing a WebKit client to knowingly set an invalid user agent header...?
Philippe Normand
Comment 2 2024-05-04 05:50:03 PDT
(In reply to Michael Catanzaro from comment #1) > What's the benefit of allowing a WebKit client to knowingly set an invalid > user agent header...? Allowing a website that relies on an invalid user agent header.
Michael Catanzaro
Comment 3 2024-05-04 05:51:07 PDT
Oqee/SmartTV/1.0.138-1/Samsung/Tizen/6.0/UE50AU7105KXXC I've never seen a user agent header like this before ever. If you're trying to impersonate Tizen, you might be able to get close enough by just removing the slashes. Usually web servers will search for substring matches rather than checking for an exact match.
Michael Catanzaro
Comment 4 2024-05-04 05:54:06 PDT
If that doesn't work, then I suggest adding a WebKitSettings:allow-invalid-user-agent-headers setting and check that to decide whether to do the validation, so you can turn off the check but it remains by default to prevent application developers from accidentally messing up.
Michael Catanzaro
Comment 5 2024-05-04 06:01:33 PDT
(Also, checking bug #201077, it looks like some work in libsoup would be needed to allow it.)
Karl Dubost
Comment 6 2024-05-08 20:55:00 PDT
User agents can be weird. I have had the opportunity to go through a sample file of 1 million of them 10 years ago for a popular video website. Some of the user agents had personal phone number of their users.
Note You need to log in before you can comment on or make changes to this bug.