User agent sniffing is an anti-pattern. Our browser getting identified as different from Firefox is a feature, not a bug.

I believe privacy implications is *not* a concern here: We should support security by obscurity only optionally, and only when not getting in the way of progress towards Freedom.

The user-agent string is an identifier. As such I no sense in including "Firefox" in the string, because that detail is *exactly* the part we avoid in deriving our product from the product from Mozilla: If Firefox identifies itslef as (hi, I am a Gecko engine branded as Firefox" then it makes perfect sense that we, when deriving, change that to "Hi, I am a Gecko engine, branded as PureBrowser".

I learned that Option 2 can be enabled by the user in a safe way by setting the "general.useragent.compatMode.firefox" parameter in about:config to true -- that is the purpose of that option which is only available in Firefox derivatives.

In T247#4401, @jonas.smedegaard wrote:

User agent sniffing is an anti-pattern. Our browser getting identified as different from Firefox is a feature, not a bug.

Whilst I 100% agree in principle, after working for (gosh) 10 years in web development it is something that is really unavoidable :(

In T247#4470, @chris.lamb wrote:

In T247#4401, @jonas.smedegaard wrote:

User agent sniffing is an anti-pattern. Our browser getting identified as different from Firefox is a feature, not a bug.

Whilst I 100% agree in principle, after working for (gosh) 10 years in web development it is something that is really unavoidable :(

Wouldn't doing Option #2 (by setting general.useragent.compatMode.firefox by default) not negate that? The browser would still be clearly identified as different from Firefox, with Purebrowser in the UA.

I don't think it would be like lying -- they may be misguided, but many website creators look for "Firefox" in the UA because they expect it to catch all browsers *like* FF, including Iceweasel, Purebrowser, etc. due to the fact that they assume compatMode.firefox is usually set on such derivatives. It seems like much more sense to just include that. You can even add the word "like" to the UA if you want to eliminate any possible confusion.

I prefer and would advocate for option 2 because it instructs sites that (mistakenly or not) use browser versions to determine how to behave that PureBrowser is most compatible with a particular version of Firefox (which it is, having been almost entirely derived from that browser, with some modifications), while also informing the site that the browser is not in fact Firefox, but something else.

This to me is a fair compromise with the engineering concerns (I almost said ethical concerns but honestly this falls more into the "I don't like that those engineers do it that way" than "Those engineers are acting unethically") because we are stating our compatibility but also stating that we are not in fact Firefox but are something else.

From the end user's perspective, without displaying some kind of UA string that contains a Firefox version, our browser will be broken on many websites where otherwise it would work just fine. It seems a shame to allow this breakage (or force the user to change the UA string themselves) just because we would prefer web developers not develop websites a certain way (a way which is not unethical, just undesirable).

It seems like an easy win for us. Leaving it how it is will not make any web developers change their behavior, but it will make PureBrowser seem "broken" for our users unnecessarily. While I also appreciate the privacy concerns with having an unusual UA string, in this case I think users with those concerns are sophisticated enough to change the UA themselves, or otherwise use Tor Browser instead.

This has been mentioned elsewhere, but just to document Mozilla's take on all this:

Mozilla recommend against UA sniffing. If you do sniff, they recommend looking for "Gecko" not "Firefox".

Mozilla provides the general.useragent.compatMode.firefox flag so that the browser adds "Firefox" to the UA string, such that the Firefox version is logical match for the Gecko version. This is provided explicitly to support a user browsing a site that insists on sniffing for "Firefox".

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent/Firefox

Ok, I am convinced with doing option 2.

My main concern against it was detachment from the trademark-protected name - but since Mozilla themselves provide a mechanism specifically for derived browser product I take that as them toleating use of their name used that specific way (i.e. when then also adding trailing product name).

Another concern is the risk of collateral damage: Previous hacks have affected several things at once (one of them being path to user config - see T335). Again, Mozila providing a mechanism specifically for this helps.

I have tested succesfully, and future releases of PureBrowser will add the following to /etc/purebrowser/purebrowser.js:

pref("general.useragent.compatMode.firefox", true);