 |
|
|
|
|
|
|
|
|
2005-03-13, 02:45 PM
|
#12 | |
|
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
Join Date: Jan 2004
Posts: 178
 |
Quote:
It's not used by browsers or for web pages. Web browsers send GET, HEAD, and POST requests. Perhaps my last message wasn't very clear. The whole point of my last message is that indeed almost all web servers respond very differently to IE (versions 4, 5, 5.5, AND 6) than they do to other, standards compliant browsers. They do so based entirely on the request sent by the browser, which looks something like this: GET /somepage.html HTTP/1.1 CONNECTION: Keep-Alive USER-AGENT: Mozilla/4.0 (compatible; MSIE 5.22; Mac_PowerPC) PRAGMA: no-cache HOST: www.dcs.napier.ac.uk Accept-Language: en-gb Accept-Encoding: gzip, deflate ACCEPT: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* There are many other headers that can be included, of course. The above example has no cookie being returned, no CGI data, etc. but it's fairly typical of a basic request. It tells us that it's MSIE 5.22 on PowerPC preferring British English, among other things. There's no JavaScript involved I don't know where you got that idea, or the idea that Strongbox redirects the user to some other web page. Check your httpd.conf and you likely to find all of these hacks for IE and many more: <IfDefine SSL> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive \ ssl-unclean-shutdown \ downgrade-1.0 \ force-response-1.0 </IfDefine> These particular lines say that if it's IE trying to do SSL than use HTTP 1.0 and close the connection even though IE says it can handle keeping the connection open for the next request. IE can't handle HTTP 1.1 at all with SSL even though indeed HTTP 1.1 has been the standard for over 6 years now. IE also sends a keep alive request, asking the server to leave the connection open for the next request, but in fact it chokes if the server does that. You'll see other directives in there that do in fact send different reponses to IE4 vs. IE5 vs. IE6 precisely because none of them follow the standards very closely at all and they don't even all behave the same. If you responded to IE4 with a response designed for IE6 that would choke IE4. It's not _supposed_ to ne that way, no. They are all supposed to speak standard HTTP. But they don't. Not by a long shot. Some of this is just bugs in IE, MS quality control is not too good. Some of it is Microsft's written policy of intentionally "warping" standards such as HTTP and HTML so that people will start designing pages and servers for IE, in which case they won't work with other browsers. Remember those icons you used to see on _SO_ many web pages saying that the page was designed for MSIE? That wasn't an accident. MS excutives testified that MS worked very hard to make sure that IE wouldn't accept "generic" standards compliant pages and that pages designed for IE wouldn't work in other browsers in a largely succesful attempt to get all pages designed for IE and make sure that everyone therefore had to use IE in order to use the pages fully. Strongbox uses no Javascript, so I'm not sure where you're getting that, and it doesn't exploit any browser vulnerabilities either. Strongbox simply records and analyzes information to protect your site. Personally I don't see it as impolite for Strongbox to record the fact that so far today the user name "sureimlegit" has logged in using MSIE 6, Firefox 1.0, and Mozilla 1.7.3, as well as the fact that on different occasions "sureimlegit" has preferred American English, British English, and Chinese, so it's probably NOT the same person loggin in 3 times and the password is probably compromised. |
|
|
|
|
|
Threaded Mode