Quote:
irst of all, browser version has shit to do with the HELO request my browser is sending to get the damn headers and body that your server sends.
...
there's no chance that your Apache or IIS or whatever you're using is sending different headers depending on the browser version, BECAUSE all popular browsers are made to understand HTTP the way it is now, because it haven't changed for YEARS... or maybe you're saying that IE 4 sends different "give me the page" headers that IE 6.5?
|
BTW, HELO is a part of a POP3 request to retrieve mail.
It's not used by browsers or for web pages. Web browsers
send GET, HEAD, and POST requests.
Perhaps my last message wasn't very clear.
The whole point of my last message is that indeed
almost all web servers respond very differently
to IE (versions 4, 5, 5.5, AND 6) than they do to
other, standards compliant browsers. They do so based
entirely on the request sent by the browser, which looks
something like this:
GET /somepage.html HTTP/1.1
CONNECTION: Keep-Alive
USER-AGENT: Mozilla/4.0 (compatible; MSIE 5.22; Mac_PowerPC)
PRAGMA: no-cache
HOST:
www.dcs.napier.ac.uk
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
ACCEPT: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
There are many other headers that can be included, of course.
The above example has no cookie being returned, no CGI
data, etc. but it's fairly typical of a basic request. It tells us that
it's MSIE 5.22 on PowerPC preferring British English, among
other things.
There's no JavaScript involved I don't know where you got that idea,
or the idea that Strongbox redirects the user to some other web page.
Check your httpd.conf and
you likely to find all of these hacks for IE and many more:
<IfDefine SSL>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive \
ssl-unclean-shutdown \
downgrade-1.0 \
force-response-1.0
</IfDefine>
These particular lines say that if it's IE trying to do SSL
than use HTTP 1.0 and close the connection even though
IE says it can handle keeping the connection open
for the next request. IE can't handle HTTP 1.1 at all
with SSL even though indeed HTTP 1.1 has been the standard
for over 6 years now. IE also sends a keep alive request,
asking the server to leave the connection open for the
next request, but in fact it chokes if the server does that.
You'll see other directives in there that do in fact send
different reponses to IE4 vs. IE5 vs. IE6 precisely because
none of them follow the standards very closely at all and
they don't even all behave the same. If you responded to
IE4 with a response designed for IE6 that would choke IE4.
It's not _supposed_ to ne that way, no. They are all supposed
to speak standard HTTP. But they don't. Not by a long shot.
Some of this is just bugs in IE, MS quality control is not too good.
Some of it is Microsft's written policy of intentionally "warping"
standards such as HTTP and HTML so that people will start designing
pages and servers for IE, in which case they won't work with other browsers.
Remember those icons you used to see on _SO_ many web pages
saying that the page was designed for MSIE? That wasn't an accident.
MS excutives testified that MS worked very hard to make sure that
IE wouldn't accept "generic" standards compliant pages and that
pages designed for IE wouldn't work in other browsers in a largely
succesful attempt to get all pages designed for IE and make sure
that everyone therefore had to use IE in order to use the pages fully.
Strongbox uses no Javascript, so I'm not sure where you're getting that,
and it doesn't exploit any browser vulnerabilities either.
Strongbox simply records and analyzes information to protect
your site.
Personally I don't see it as impolite for Strongbox to record the fact
that so far today the user name "sureimlegit" has logged
in using MSIE 6, Firefox 1.0, and Mozilla 1.7.3, as well as the fact
that on different occasions "sureimlegit" has preferred American
English, British English, and Chinese, so it's probably NOT the
same person loggin in 3 times and the password is probably compromised.