The big problem with Microsoft’s Flash whitelist browser sniffing

In The big problem with Microsoft’s Flash whitelist, ars author Peter Bright shared some of his concerns with the forthcoming Windows 8 Metro version of Internet Explorer 10. He states “it’s neither a full desktop browser nor a detectable mobile browser” after being shafted by Sony Pictures for not using a Flash-enabled browser.

Peter expressed concerns that since IE10 Metro uses the same user-agent string as IE10 on the desktop, developers won’t be able to detect which is which, and as such, they’ll assume you’re on a desktop and that your desktop supports Flash. As was pointed out in the article, HTML5 content is commonly reserved for mobile browsers – which the Metro IE10 is not.

At the bottom of Peter’s article was a byline that stated Peter “covers programming and software development, Web technology and browsers,” and as such I am saddened to see such a defense of user-agent sniffing and absolutely no mention of feature-detection.

User-agent sniffing, or “browser sniffing”, is the act of examining the user-agent string sent with requests to a server and inferring the browser or system’s abilities from that information alone. For instance, if your user-agent string contains a reference to “iPad”, I can safely assume you support HTML5.

The bottom line is that this practice is unprofessional, and naive. The user agent string is not an immutable property of the browser. It changes with each browser release, it changes with certain plugins being installed, and it changes by the authority of the user if they happen to be tampering with their developer tools (perhaps trying to get around poorly-coded sites that require certain user agent strings for access).

The jQuery documentation, while providing $.browser.msie for IE detection states “We recommend against using this property; please try to use feature detection instead.”

The Popular Yahoo Library, YUI, also contains the UA class for detecting the users browser, but they too plead with the user: “Do not fork for a browser if it can be avoided. Use feature detection when you can. Use the user agent as a last resort.”

One is forced to ask, why didn’t any of this make its way into Peter’s article? The article was instead an attack on Metro IE10 for not being an enabler to poor development practices. As Peter pointed out, he wasn’t able to watch his video because the site he was visiting was sniffing his user agent string. If Sony Pictures had been doing things the correct way, we wouldn’t have these problems.

Feature detection isn’t hard to do. In fact, regarding HTML5 video it’s a very trivial task:

if ( !!document.createElement("video").canPlayType ) {
    // Load HTML5
} else {
    // Go for Flash

That is all it takes. Not too hard right? It is even more trivial if you use a feature-detection suite like Modernizr to handle the heavy-lifting for you. No tampering with user-agent strings, no screwing up your parsing and thus breaking your user’s experience – not of that. Just giving the browser what the browser can handle.

When you assume you know what the browser is capable of without actually making some attempts, you ruin things for everybody. Just ask Karl Dubost, a web developer working with the Opera browser. He expressed some of his frustration when CFABank unnecessarily blocked Opera users from gaining access to their accounts.

Or perhaps Rey Bango, a jQuery team member and Developer Evangelist for Microsoft who shared the story of Paydirt, a wonderful service that prevented IE users from knowing how great their product was because they assumed IE wouldn’t work, even though IE9 and 10 handled their product very well.

This is what Peter’s complaint should have been – people are developing terrible sites. And it’s not just some kid at his house, it’s large companies like Sony Pictures. It’s a call for education, and it’s something we in the development community are working very hard to remedy.

Kudos to Microsoft for taking the actions they’ve taken. Having plugins in the browser leads to security risks, unnecessary battery usage, and so much more. Not to mention, if people build things using the native features available in modern browsers today (with the many great polyfills and fallbacks where necessary), we find the need for major plugins like Flash practically vanish.

I, for one, eagerly await the arrival of the plugin-free browser.