miscoded

I've wanted to tell this story for a while, and I don't think I'm spilling any beans or disclosing any sensitive information at this point.

So, a while ago Opera Software needed more servers. Not just a few servers either - we were planning Opera Mini's growth, implementing Opera Link, and My Opera was also growing quickly. We predicted crazy server load increases for the foreseeable future (and man, were we right!)

Clearly we needed to make a massive investment on the server capacity front (basically buying these shiny things and then some.)

Management put a hefty check on the table - I'm sure our beloved sysadmins felt like kids before Christmas - and salivating sales people from major hardware vendors grabbed our requirements spec, dived into their CRMs and crunched their spreadsheets. They emerged with offers and sample servers shipped all the way to Oslo for our testing pleasure.

However, one of the world's biggest hardware vendors - whose name every single reader will be familiar with, and whose hardware a good share of you will be using right now - apparently didn't do their homework. When Opera's sysadmin booted up the server to test its web-based administration interface, they came across a single JavaScript statement that managed to piss off everyone up to and including the CTO.

This single statement, apparently written by some sub-contractor they had outsourced admin interface programming to, cost them millions of NOK in lost sales.

And the code they sent all the way to Oslo for testing? Here's an extract:

if (is.opera)
{
window.location.href="config/error.htm";
}

So we're busy preparing the major upgrade from 9.5x and 9.6x - and what's more obvious than calling it Opera 10? What's in a name, or a version number?

Apparently a lot of trouble.

As Andrew Gregory already noticed, we're the first browser ever to release with a two-digit version number. If websites assume that version numbers always have a one-letter "major" part and look for a single digit, they are going to "detect" Opera 1!

Since we released the first preview of Opera 10, we're seeing the bug reports come in. Web sites go belly up because of their bad sniffing. Some of them aren't even ashamed of it..



Thanks, Bank of America. Do you feel like it's 1995 again? Yeah, me too.

You'd think that with the intense development Microsoft has been lavishing on live.com they would have found somebody capable of writing a usable browser sniffer (or ideally a person clever enough to say "wait, we don't really need one - what if we just use feature detection instead?"). Think again..


..and for further evidence that their backend version detection is an odd piece of software engineering, read their cookies closely - Opera 9.62's request first, then Opera 10:

GET /mail/browsersupport.aspx 
Host: co109w.col109.mail.live.com 
User-Agent: Opera/9.62 (Windows NT 5.1; U; en) Presto/2.2.0 

Set-Cookie: BrowserSense=Win=1&Downlevel=0&WinIEOnly=0&Firefox=0&Opera=1&OperaVersion=9.2&Safari=0; domain=.live.com; path=/

GET /mail/browsersupport.aspx 
Host: co109w.col109.mail.live.com 
User-Agent: Opera/10.00 (Windows NT 5.1; U; en) Presto/2.2.0 

Set-Cookie: BrowserSense=Win=1&Downlevel=1&WinIEOnly=0&Firefox=0&Opera=1&OperaVersion=&Safari=0; domain=.live.com; path=/

Did you spot the missing version value? We really confused them by adding 0.37 to our previous value, didn't we?

Speaking of cookies, they are the main reason we added the feature that lets you hide Opera's identity. Back then in 1996 or so, some sites would do browser sniffing and send cookies only to known browsers. On the next page, if you didn't serve it cookies the site would say "hey, you don't support cookies so go away". What would Joseph Heller make of that, I wonder?

So, rewind to meet the catch-22 server, re-born at Bank South Australia:

GET /InternetBanking/ HTTP/1.1
User-Agent: Opera/9.62 (Windows NT 5.1; U; en) Presto/2.1.1
Host: ibanking.banksa.com.au

HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=000019WTazsWAk-lB38OrmKD3kR:13l3ifhnq;Path=/
Set-Cookie: bhCookieSess=1;Path=/
Set-Cookie: bhCookiePerm=1;Expires=Sat, 20-Dec-2008 23:35:40 GMT;Path=/

..and Opera 10..:

GET /InternetBanking/ HTTP/1.1
User-Agent: Opera/10.00 (Windows NT 5.1; U; en) Presto/2.2.0
Host: ibanking.banksa.com.au

HTTP/1.1 200 OK
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-AU
Date: Thu, 18 Dec 2008 23:34:37 GMT
Connection: close

Um, I'm hungry. Where are your cookies? Predictably the next page looks like this:



This is probably just the beginning.

Will the web ever learn?

The Surfin' Safari blog writes:

We strongly recommend looking for the AppleWebKit string and its version number, *not* for Safari

Apple's Safari FAQ writes:

If you need to identify the exact browser and version of clients accessing your site, use the AppleWebKit/XX portion of the string.

And lib.js on apple.com says:

this.isSafari= (agent.indexOf('safari') != -1);

Makes you wish browser vendors had tried suing browser sniffer authors back in 1996, rather than adding elaborate workaround strings to their UserAgent information. Seriously, authors should try a lot harder to not use name sniffing.

Well, I didn't quite get to the bottom of the Live.com problems last time but now I know: it's a bug in their browser sniffer. They say

Web.Browser._isIE=!Web.Browser.isMozilla()&&!Web.Browser._isOpera;

but mean

Web.Browser._isIE=!Web.Browser.isMozilla()&&!Web.Browser.isOpera();

.. so isIE is set to true even though we're Opera. That means the script gets into the wrong branches of the getElementsByTagName stuff in my previous post.

Yet another proof that all the world's evils come from browser sniffing. If sniffing wasn't necessary, we would have peace in the Middle East, no starvation in Africa .. OK, sorry, I'm getting carried away here but at the very least Live.com would be alive and kicking.