Internet DRAFT - draft-karcz-uuas
draft-karcz-uuas
Independent                                                     M. Karcz
Internet-Draft                                                UKLO Tczew
Updates: 7231 (if approved)                            November 10, 2014
Intended status: Experimental
Expires: May 14, 2015
                       Unified User-Agent String
                          draft-karcz-uuas-01
Abstract
   User-Agent is a HTTP request-header field. It contains information
   about the user agent originating the request, which is often used by
   servers to help identify the scope of reported interoperability
   problems, to work around or tailor responses to avoid particular user
   agent limitations, and for analytics regarding browser or operating
   system use. Over the years contents of this field got complicated
   and ambiguous. That was the reaction for sending altered version of
   websites to web browsers other than popular ones. During the
   development of the WWW, authors of the new web browsers used to
   construct User-Agent strings similar to Netscape's one. Nowadays
   contents of the User-Agent field are much longer than 15 years ago.
   This Memo proposes the Uniform User-Agent String as a way to simplify
   the User-Agent field contents, while maintaining the previous
   possibility of their use.
Status of This Memo
   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.
   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.
   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."
   This Internet-Draft will expire on May 14, 2015.
Karcz                     Expires May 14, 2015                  [Page 1]
Internet-Draft          Unified User-Agent String          November 2014
Copyright Notice
   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.
   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.
   This document may not be modified, and derivative works of it may not
   be created, except to format it for publication as an RFC or to
   translate it into languages other than English.
Table of Contents
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Conformance . . . . . . . . . . . . . . . . . . . . . . .   3
     1.2.  Syntax Notation . . . . . . . . . . . . . . . . . . . . .   3
       1.2.1.  Whitespaces . . . . . . . . . . . . . . . . . . . . .   3
   2.  Use of the User-Agent strings . . . . . . . . . . . . . . . .   3
   3.  Definition of Proposed Format . . . . . . . . . . . . . . . .   3
     3.1.  Standard String . . . . . . . . . . . . . . . . . . . . .   4
     3.2.  Regular String  . . . . . . . . . . . . . . . . . . . . .   4
     3.3.  Web Browser String  . . . . . . . . . . . . . . . . . . .   5
   4.  ABNF Definition of UUAS . . . . . . . . . . . . . . . . . . .   7
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   7.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   8
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   9
1.  Introduction
   Nowadays User-Agent strings are long, complicated and often
   ambiguous. (e.g. "Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux
   i686; en) Opera 8.01" - it is Opera Browser, but it can be read as
   Internet Explorer or Netscape Navigator.) This document specifies a
   new, easy and clear format of Unified User-Agent String (UUAS), which
   allows simple distinction between user agents, maintaining most of
   the features of the existing solutions.
Karcz                     Expires May 14, 2015                  [Page 2]
Internet-Draft          Unified User-Agent String          November 2014
1.1.  Conformance
   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].
1.2.  Syntax Notation
   This specification uses the Augmented Backus-Naur Form (ABNF)
   notation of [RFC5234]. Section 4 contains a full syntax definition
   of the Unified User-Agent String.
1.2.1.  Whitespaces
   This specification uses two rules to denote the use of linear
   whitespace: OWS (optional whitespace) and RWS (required whitespace).
   They are defined in Section 3.2.3 of [RFC7230].
2.  Use of the User-Agent strings
   Generally, the User-Agent header field was intended for statistical
   purposes. However, in mid-90. during the "browser wars" data
   provided by this field became used to alter the content of the
   resources before sending them to the user, or even to prevent users
   of particular browser the access to resources. To avoid these
   protections, software vendors started to change their identifiers in
   a way resembling User-Agent strings of the most popular browsers.
   During the years it has made these identifiers much more complicated,
   ambiguous and difficult to parse.
   Nowadays User-Agent strings are still used for statistical purposes,
   but also for avoiding limitations of particular implementations.
   However, in modern browsers these limitations greatly decreased and
   "user agent spoofing" is now unnecessary.  Unfortunately, there are a
   lot of websites still discriminating particular web browsers.
   Unified User-Agent String is intended to propose a way for
   simplifying, clarifying and standarizing the content of User-Agent
   HTTP header field. Furthermore, if it becomes widespread, it will be
   able to reduce the practice of "user agent spoofing" and
   discrimination of particular groups of the Internet users.
3.  Definition of Proposed Format
   This document proposes a formal definition of three types of User-
   Agent string: standard string, regular string and web browser string.
Karcz                     Expires May 14, 2015                  [Page 3]
Internet-Draft          Unified User-Agent String          November 2014
     User-Agent = uuas
     uuas = standard-string / regular-string / browser-string
   Standard string is intended to maintain backward compatibility with
   existing implementions and it is the same simple format as defined in
   [RFC7230].
   Regular string introduces a degree of standardization making every
   theoretical UUAS parser able to obtain information from it.
   Web browser string is designed for modern graphical web browsers and
   proposes a set of signatures, which should form together a clear and
   unequivocal application identifier.
3.1.  Standard String
   The standard User-Agent string MUST be generated in conformance with
   Section 5.5.3 of [RFC7231]. The standard User-Agent string consists
   of one or more product identifiers, each followed by zero or more
   comments (Section 3.2 of [RFC7230]), which together identify the user
   agent software.
   Standard string syntax definition:
     standard-string = product *( RWS ( product / comment ) )
   The product identifiers and comments SHOULD be listed in decreasing
   order of their significance. Each of them consists of a name and
   OPTIONAL version number.
   In the standard string a sender SHOULD limit generated product
   identifiers to what is necessary to identify the product; a sender
   MUST NOT generate advertising or other nonessential information
   within the product identifier. A sender SHOULD NOT place non-
   version-related information in version number part of product
   identifier.  In the standard string successive versions of the same
   product SHOULD differ only in the version part of the identifier.
   Example:
     CERN-LineMode/2.15 libwww/2.17b3
3.2.  Regular String
   Regular Unified User-Agent String is intended for request senders
   other than graphical web browsers and general web crawlers. It MUST
   provide a signature of the operating system or platform (eg. in case
   of runtime environments) used to generate the request at the first
Karcz                     Expires May 14, 2015                  [Page 4]
Internet-Draft          Unified User-Agent String          November 2014
   position in the comment after the first product identifier. After
   this signature the regular string MAY contain any comments and next
   product identifiers.  Only this information MUST be provided, because
   this format is designed for cases, when the server does not need to
   know the exact parameters of the application originating the request.
   In such cases this string can be applicable in statistical purposes
   or in adapting the server's response to capabilities of particular
   software platforms (eg. for indicating the need for adding carriage
   returns before the newlines).
   Regular string syntax definition:
     regular-string = product RWS "(" os [ sc 1*ctext ] ")"
                      *( RWS ( product / comment ) )
   Regular Unified User-Agent Strings are syntactically compliant with
   the standard definition.
   Example:
     Wget/1.11.1 (Red Hat modified)
3.3.  Web Browser String
   Web Browser User-Agent String is a format of this field-value
   intended for identifying modern graphical web browsers, which are
   compatible with HTML5, CSS3 or other modern web technologies. Web
   browser string MUST contain "Mozilla/5.0" tag at the beginning for
   historical reasons. This helps avoid the recognition of browsers as
   very old ones. Web Browser UUAS MUST also contain "Gecko" tag. This
   can avoid delivering impaired versions of websites to modern but not
   Gecko-based client applications. It is also in conformance with
   Section 6.6.1.1 of [W3C.REC-html5-20141028].
   Web browser string syntax definition:
     browser-string = Mozilla-tag
                      RWS "(" *( signature sc ) os
                      *( sc signature ) [ sc language ]
                      *( sc signature ) [ sc rvtag ] ")"
                      RWS Gecko-string
                      *( RWS ( product / comment ) )
   Like regular string, Web Browser Unified User-Agent String MUST
   provide information about software platform. Fields contained
   between brakets (comments) SHOULD be separated by semicolons with
   optional space. Application MAY also include language tag in its
Karcz                     Expires May 14, 2015                  [Page 5]
Internet-Draft          Unified User-Agent String          November 2014
   User-Agent string. Then it MUST be a Language-Tag in accordance with
   [RFC5646].
   Due to the fact that the application originating the request cannot
   provide its version info in the first product identifier, it SHOULD
   place its version number in the separate revision tag.
   Of course, a sender can add to the string any valid product
   identifiers and comments, but this Memo is intended to simplify and
   clarify this element of the protocol. In the web browser string
   there MUST be at least one signature allowing to identify particular
   client application product. Also the order of platform, language and
   revision signatures MUST NOT be changed.
   This type of UUAS SHOULD be also used by general web crawlers. It
   can help avoid certain unfair practices relying on delivering other
   resources to web browsers, other to web crawlers.
   Example:
     Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Karcz                     Expires May 14, 2015                  [Page 6]
Internet-Draft          Unified User-Agent String          November 2014
4.  ABNF Definition of UUAS
   ; Unified User-Agent String general definition
   User-Agent = uuas
   uuas = standard-string / regular-string / browser-string
   ; Standard string, as described in [RFC7231]
   standard-string = product *( RWS ( product / comment ) )
   ; Regular string, recommended for non-browsers
   regular-string = product RWS "(" os [ sc 1*ctext ] ")"
                    *( RWS ( product / comment ) )
   ; String recommended for web browsers and crawlers
   browser-string = Mozilla-tag
                    RWS "(" *( signature sc ) os
                    *( sc signature ) [ sc language ]
                    *( sc signature ) [ sc rvtag ] ")"
                    RWS Gecko-string
                    *( RWS ( product / comment ) )
   ; Tags and signatures definitions
   signature = product / 1*schar
   os = 1*schar
   language = <Language-Tag, see [RFC5646], Section 2.1>
   rvtag = "rv:" OWS token
   Mozilla-tag = "Mozilla/5.0"
   Gecko-string = Gecko-tag
                  / ( product RWS "(" *ctext
                  RWS Gecko-tag [ RWS 1*ctext ] ")" )
   Gecko-tag = ["like "] "Gecko" ["/20100101"]
   ; Additional definitions
   product = <product, see [RFC7231], Section 5.5.3>
   comment = <comment, see [RFC7230], Section 3.2.6>
   ctext = <ctext, see [RFC7230], Section 3.2.6>
   schar = tchar / HTAB / SP / obs-text
   token = <token, see [RFC7230], Section 3.2.6>
   tchar = <tchar, see [RFC7230], Section 3.2.6>
   obs-text = <obs-text, see [RFC7230], Section 3.2.6>
   sc = ";" OWS
   OWS = <OWS, see [RFC7230], Section 3.2.3>
   RWS = <RWS, see [RFC7230], Section 3.2.3>
Karcz                     Expires May 14, 2015                  [Page 7]
Internet-Draft          Unified User-Agent String          November 2014
5.  Security Considerations
   Implementations are encouraged not to use the product tokens of other
   implementations in order to declare compatibility or identity with
   them beyond the scope prescribed in this document, as this
   circumvents the purpose of the User-Agent field.
   A user agent SHOULD NOT generate a User-Agent field containing
   needlessly fine-grained detail and SHOULD limit the addition of
   subproducts by third parties. Overly detailed User-Agent strings
   increase request latency and the risk of a user being identified
   against their wishes. In theory, this can make it easier for an
   attacker to exploit known security holes; in practice, attackers tend
   to try all potential holes regardless of the software being used.
   But when User-Agent string is combined with other characteristics of
   the application, particularly if the client application sends
   excessive details about the user's system or extensions, the risk of
   successful attack gets higher.
   As User-Agent strings are text data, they can be used to carry out
   attacks by causing buffer overfows or changing formatting strings.
   Implementers should secure their applications against such practices.
   Data provided by User-Agent header field can be used to discriminate
   the users of particular client applications by preventing them
   accessing the requested resources or replacing them with false ones.
6.  IANA Considerations
   This document has no actions for IANA.
7.  Acknowledgments
   I would like to thank my English teacher, who devoted her time to
   conduct a linguistic revision of this Memo.
8.  References
   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", RFC 2119, BCP 14, March 1997.
   [RFC5646]  Phillips, A. and M. Davis, "Tags for Identifying
              Languages", RFC 5646, September 2009.
   [RFC5234]  Crocker, D. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", RFC 5234, STD 68, January 2008.
Karcz                     Expires May 14, 2015                  [Page 8]
Internet-Draft          Unified User-Agent String          November 2014
   [RFC7230]  Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
              (HTTP/1.1): Message Syntax and Routing", RFC 7230, June
              2014.
   [RFC7231]  Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
              (HTTP/1.1): Semantics and Content", RFC 7231, June 2014.
   [W3C.REC-html5-20141028]
              Hickson, I., Berjon, R., Faulkner, S., Leithead, T., Doyle
              Navara, E., O'Connor, E., and S. Pfeiffer, "HTML5", World
              Wide Web Consortium Recommendation REC-html5-20141028,
              October 2014,
              <http://www.w3.org/TR/2014/REC-html5-20141028/>.
Author's Address
   Mateusz Karcz
   Uniwersyteckie Katolickie Liceum Ogolnoksztalcace w Tczewie
   6 Wodna Street
   Tczew, PM  83-100
   PL
   Email: mateusz.karcz(at)interia.eu
Karcz                     Expires May 14, 2015                  [Page 9]