After extensive testing, they’ve concluded that the best way to work around this is to pretend to be Version 9.80. From now on, all versions of Opera will identify themselves as “Opera/9.80″ with the real version appearing later in the user-agent string.

For example:

Opera/9.80 (Macintosh; Intel Mac OS X; U; en) Presto/2.2.15 Version/10.00

This is similar to the way all Gecko-based browsers identify themselves as Mozilla/5.0, then list the real browser name and version number later on, which makes me wonder why they didn’t just stick with that increasingly irrelevant prefix — though I suppose any scripts looking specifically for Opera versions might have still picked up Opera/10 later on in the ID.

It’ll be some time before Firefox or Safari runs into this issue, but with Internet Explorer 8 in wide release, you have to wonder…what will Microsoft do when they get to IE 10?

“…ah yes, I thought. That’s the sequel, all right. CORALINE APOCALYPSE”

I used to run into this with TIFF images when building websites. (No big surprise, given that there are a million variations on the TIFF format.) I think it was around 2000 or so that I was working on a website for a law firm, and they sent me their logo. The logo, as I received it, was yellow on light blue, so I built a site with black text on a white background for the main areas, and yellow on light blue (matching their logo) for the title, navigation, and borders.

I sent them a link to the test site. They looked at it, and said it was very nice, but could I try to match the color scheme on their logo instead?

It turned out that red and blue had gotten switched around (and possibly more, because I can’t remember how the yellow ended up in there), but anyway it was supposed to be white on light brown. I switched the channels, redid all the graphics and styles for the site, and they stuck with it for several years.

Back on the subject of Coraline, Gaiman adds in his post that the film has become “the second highest grossing stop-motion film ever” after Chicken Run. So why does it seem to be forgotten already? Just two months ago, commentators were falling all over themselves to say Coraline was the turning point for 3-D animation being part of the storytelling and not just a gimmick. Now everyone’s talking about how Monsters vs. Aliens is the turning point for 3-D animation being part of the storytelling and not just a gimmick.

First item cross-posted at LiveJournal.

I’ve also released that site under the Creative Commons Attribution-Share Alike 3.0 license, which should simplify matters for translations.

Finally, as a compromise between a full blog and little notes on the home page, I added another Twitter account, AltBrowser, where I’ll post not just site updates but random bits of news, comments, tips, etc. related to the topic.  I don’t have time to maintain yet another blog.  And I’m not convinced the net needs one.

I still hope to do that major rewrite, but this should bring it mostly up-to-date.

I usually use the WDG Offline Validator as a first line, but the W3C’s tools are incredibly useful. #

Firefox and Safari, currently at just before and just after 3, are likely safe for now, but IE is creeping up on 8, and with their new, faster release schedule, IE10 may only be a couple of years away.

I’ll admit, I’ve written code like that myself (not the specific example, but I’ve done regexp matches that only look at the first digit), but always on sites that I expect to be able to maintain. Of course, one of the lessons to learn from Y2K is that shortcuts get entrenched, and code you thought you’d have time to clean up long before it became a problem has a tendency to stay in use far longer than you expected. And we’ve seen the same thing with web script archives, where someone’s example code that mostly worked in IE4 gets enshrined as “the” way to accomplish something, even though there have been better ways that work more consistently for years.

Well, yeah. That’s our job.

And a bunch of random websites blocking IE6 aren’t going to convince people to change. If I were to block IE6, or only allow Firefox, or only allow Opera, I’d have to have seriously compelling content to get people to switch. Mostly, people would get annoyed and move on. Who’s going to install a new browser just so they can read the history of the Flash? Or choose an ISP? Or buy a product that they can get from another site?

Slapping the User in the Face

It’s so easy for someone to walk away from your site. One of the tenets of good web design is to make the user jump through as few hoops as possible to accomplish whatever you want him/her to do. Every hoop you add is an obstacle. Too many obstacles, and they’ll just go somewhere else more convenient.

Back when I was following Spread Firefox, every once in a while someone would suggest blocking IE. Every time, people like me would shoot it down. And think about it: what does the average Firefox user (or Opera user, for that matter) do when confronted with a site that will only run in IE? Fire off a complaint, or move on, unless it’s something they can’t live without, like, say, their bank. Only then will they bring up the site’s preferred browser…just long enough to do their business and move on.

Plus it goes against the grain of the concept that a website should be viewable in any browser. It offends my sense of… I don’t know, egalitarianism.

Recommend vs. Demand

My current tactics: I target the latest versions of each browser (or rather, the overlap in their standards support), toss in enhancements where I think something would be nice, but not critical (off-site link icons using generated content, for instance, which works in everything except IE≤7, or rounded corners, which only work in Gecko and WebKit so far). And I take that, and make it look reasonably good in IE6. I don’t try to make it perfect anymore (case in point, the header of this blog), but I try to make sure it’s functional and doesn’t look broken.

Then I include a polite notice recommending that people upgrade to something a little more capable or modern for a better experience, but I don’t require them to do so. I don’t pop up anything that moves, or blocks content, or forces them to click through an extra page.

Enter: PayPal

Now, remember what I said about banks? PayPal intends to block “unsafe” browsers from accessing their site (via Slashdot). They aren’t technically a bank, but PayPal is actually in a position where they might be able to do it: they’re the most well known online payment service where two random people can send each other money. Probably more people will switch browsers and keep PayPal than switch payment services and keep their browser.

They’ve since indicated that they don’t intend to block “current versions of any browsers,” but will focus on “obsolete browsers on outdated or unsupported operating systems.” So you IE4 users on Windows 98? Upgrade already! (And since you can’t install IE7, try Opera. It still runs on Win98!)

They’ve also cited such safety features as phishing protection (present in IE7, Firefox 2, and Opera 9) and support for Extended Validation SSL Certificates (present in IE7 and the upcoming Firefox 3 and Opera 9.5).

Hazards of Browser Sniffing

Of course, once you start actively blocking browsers, you have three choices:

• Keep track of every single browser out there, and every version.
• Let most browsers in, but only block a few problem browsers (similar to Yahoo’s Graded Browser Support)
• Unfairly block browsers that might be perfectly adequate just because you can’t be bothered to investigate them.

The last seems the most prevalent. Just ask any Opera user today, or any Firefox user of 3 years ago. (I remember using Firefox and being told to “upgrade” to Netscape 6, even though NS6 was based on an older version of the same engine. Remember: Gecko is Gecko.)

Whitelist approaches to browser detection are, by their nature, either going to require constant updating or block too much. In this case, issues would include:

• Less well-known browsers, like Flock, which uses the same anti-phishing features as Firefox
• Browsers that don’t do phishing detection themselves, using third-party plugins to do the job.
• Changes in status, when browsers add the capabilities required to get on the list.

Thankfully, it looks like PayPal is going with the most minimally-intrusive approach: blocking only the most troublesome browsers, and letting the rest connect normally.

Will it Work?

There’s still the question of whether it’ll actually make users less likely to land on a PayPal phishing site.

For one thing, it’s not clear whether they’ll block IE6. The initial report would definitely have excluded it, since it lacks both EV support and anti-phishing (without an add-on). But the follow-up statement was focused on Safari. Does PayPal consider IE6 to be a “current” version since Microsoft still supports it? Or do they consider IE7 to be current, and IE6 to be obsolete?

Certainly, if they don’t block IE6, this will really only impact the tiny fraction of users running horribly outdated software. (Well, more horribly outdated.)

The thing to remember is that the features PayPal is promoting will only help if users switch for general browsing. In fact, anti-phishing will make no difference at all on PayPal’s actual site, unless it gets hacked (at which point the user is screwed anyway.)

So let’s suppose that they do block IE6. As much as I’d like people to switch to Firefox or Opera full-time, I’m sure there will be some people who only fire up an alternative to use PayPal, and who stick with IE6 the rest of the time. They’re just as likely as before to click on a bogus “Pay with PayPal” button, or a link in a phishing email. If they weren’t going to do that in the first place, the browser requirement wasn’t needed. If they were, the browser requirement doesn’t help. The bogus sites won’t require phishing detection, or EV certs. Imagine the user saying, “Hey, PayPal fixed the problem where it wouldn’t let me use IE!”

And of course it won’t stop someone with a stolen login and password from connecting using an “approved” browser.

The ISC has also weighed in re: limitations of EV certificates. Among other things: it may be easier to get an EV cert than suggested, in which case it won’t indicate any greater degree of trust than a standard SSL certificate. And it doesn’t prevent other issues, like keyword loggers or trojans that simply hijack a user’s session.

I apologize for the rambling nature of this post (yeah, site title and all that). But I worked on it on a succession of late nights, and decided it was time to just post the thing. Also, I should have a somewhat more concise post up on OperaWatch soon now.

Social tagging initiative from WaSP to physically tag bad web designers.

Opera hits 106/100 on Acid3 after discovering an Easter egg in the test.

The openSUSE mailing list announced OpenSUSE 4.1, with KDE 4.1, GNOME 4.1, MP41 support, OpenOffice 4.1, XEN 4.1, VirtualBox 4.1, and a 4-in-1 CD install.

Added: The Electronic Frontier Foundation has sent out a newsletter detailing its findings on a Congressional Listening program (apparently they monitor citizens for their opinions—who knew?), plans to move the EFF offices to an armored zeppelin, an NSA-sponsored social networking site (to “allow ordinary Americans to instantly share their private data with the government”), and Homeland Security’s conclusion that Wikipedia is a “Larger Threat Than Terrorism, Dixie Chicks Combined.” Sadly, the newsletter does not appear to be archived on the website.

Added: Virgle, a Virgin/Google joint venture to establish a permanent colony on Mars. Now seeking applicants for Martian pioneers. Takes the Google moon base from 2004 to the next level.

Added: A co-worker pointed out that all of YouTube’s featured videos are Rickrolls today. And it looks like Google is going all-out with some 15 hoaxes today. *whew!*

The Internet Storm Center is keeping a list as well.

This doesn’t constitute passing the full test, as the resulting page needs to look exactly like the reference image, but it means they’re very close.

These fixes won’t appear in the upcoming Opera 9.5, since it’s in the stabilization phase as it approaches release (just like any new Acid3-related changes in Firefox won’t make it into Firefox 3), but will probably find their way into the next major version.

We’re in the home stretch. Opera’s nearly there, but WebKit is close behind. WebKit could still catch up while Opera polishes off the rendering issues, in which case Safari would be the first browser to pass both Acid2 and Acid3.

Congratulations to the Opera team, and best of luck in the final lap of the race!

Update: Just a few hours later, and WebKit has caught up, also passing 100/100. And as they point out, it’s a public build, one you can download and try out yourself! The race to pass is going to be very close. Though at this point, it’s almost certain that WebKit will be the first to be publicly accessible.

(via CSS3.info. More at OperaWatch and The Good Life.)

Rows 4-5 test fallback behavior for objects. The idea is that if a page tries to load an external resource, but can’t—the file is missing, the server’s down, the network’s slow, the browser doesn’t have the right plugin, etc.—the page can provide alternate content. And it can be nested, so you can try, say, a video clip that falls back to an SVG image that falls back to a PNG that falls back to text. The Acid2 guide goes into more detail, with the relevant section of code being this:

<object data="data:application/x-unknown,ERROR">
  <object data="http://www.webstandards.org/404/" type="text/html">
    <object type="image/png" data="data:image/png;...">ERROR</object>
  </object>
</object>

So it tries to load the first object, which is deliberately made unloadable. Then it tries to load the second object, which calls out to a webpage which is supposed to be unavailable. Then it falls back to the third object, which is an embedded image of the eyes.

The problems have been with the second object, the one hosted outside of the test file itself.

Back in December, when Microsoft announced that their internal builds of IE8 passed Acid2, lots of people started checking it in the Firefox 3 beta, Safari, and Opera, browsers that were known to pass. And they were surprised to find it didn’t work. It turned out that the server config on www.webstandards.org had changed such that the file requested actually returned a page instead of an error, so browsers were properly loading that page instead of the eyes. It was suggested that people use an alternate copy of the test that pointed to a different external resource.

Then when IE8 beta1 came out, people rushed to try it themselves. By this time the server config had been fixed, so the official copy of the test worked again. But people trying it on alternate copies ran into a problem, because it tripped a cross-site security check (IE8b1 would only load objects from the same domain) and IE8 wasn’t using the fallback content if it was blocked for security reasons. (This makes absolutely no sense. It’s like refusing to let someone board a plane if they trip a metal detector, instead of checking to make sure they didn’t miss a few coins and having them walk through again. Add to that the fact that IE is perfectly happy to load images, iframes, Flash animations, etc. from other sites, and the restriction itself seems a bit silly.)

So now Safari 3.1 is out, and has problems with exactly the same line. In my test on Windows, it displays this dithered orange band. In my test on Mac OS, it looks like this for a few seconds, but continues to display the page-loading icon. Then it finishes loading and displays the eyes, passing the test. It looks like it’s just taking a couple of seconds to check that external resource before falling back to the alternative.

I just find it interesting that all of these come down to one single piece of the test, and it’s the piece that tries to load an external resource—something that isn’t within its own control.

Looking through the code, I find:

Browser upgrade banners. People using old versions of Firefox (currently 1.5 or older) or Internet Explorer (currently 5.5 or older) get an “Upgrade to Firefox 2″ banner instead of the thumbnail of the current issue of the comic. This is just as easily done with JavaScript—and is done with JS elsewhere on the site. (I used to make some minor adjustments for other versions of IE, but I converted them all to conditional comments a while back.)

Last-modified date in the footer, pulled from the actual file. I’ve already got a script to update this in the static files, so it’s just a matter of adding it to my general update script. A two-minute, one-time change and I’ll never notice the difference.

Latest posts from this blog. Probably better done with an iframe, or maybe using AJAX. Drawback: either method would mean an extra request from the client. On the plus side, repeat visitors would be able to re-use the rest of the page, and only download the 5-item list.

Unique-per-day spamtrap addresses, hidden where harvesters might pick them up. But only a few of them still accept mail and feed it to filters. Mostly, they just waste spammers’ resources. I could easily either get rid of them or change the script to generate a new address with each update instead of each day.

So really, there isn’t much stopping me from using a static file for the most-viewed page on the site, with all the attendant savings in system resources, bandwidth, etc.

On the other hand, I keep contemplating switching to a database-driven system for the whole thing, which would make any changes now meaningless. But since I’ve been thinking about that since around 2000 or so, and haven’t changed it yet, that’s not exactly a blocker!

Update (March 30): I’ve made the conversion to a static file. The blog posts and browser upgrade banners are now done client-side (and run after the rest of the page is loaded), the last-modified date is part of the pre-processing script, and I just removed the daily spamtrap addresses. Now to see whether it actually improves performance.

Now the first IE8 beta supports Webslices. They’re similar in concept, but can include formatted data (not just plain text) and use microformat-like markup on the web page instead of a <link> element in the head.

I figured with two browsers supporting the concept, I’d give it a shot. I adapted the script I use to generate the RSS feed so that it will also take everything on the most recent day and generate a text file, which is used for the Microsummary title. For the Webslice, to start with I just marked up the “Latest Updates” section of the home page. Since I haven’t installed IE8b1 at home, I’m using Daniel Glazman’s experimental Webchunks extension for Firefox to try it out. Unfortunately the extension doesn’t seem to resolve relative links in its current state.

The real question, of course, is whether either technology offers anything better than what feeds can do now.

I think I’ll end up going the external-feed route for the Webslice as well, since it’ll use a lot less bandwidth than having a bunch of IE installations pulling the entire home page once a day. Plus since I’m using SSI on that page, it doesn’t take advantage of conditional requests and caching, and a static file will. But that’ll have to wait. Lost is on in 2 minutes, and after getting up earlier than usual this morning, I’ll probably be going to bed right after the show.

Update: I checked in IE8, and the webslice does work as expected. A few minor differences: Webchunks pulls in external styles, like the background and colors, while IE8b1 only uses styles in the chunk itself. Interesting bit: I’m marking up list items as entries, and IE8 is actually displaying them as a bulleted list, while Webchunks is simply showing the content.

So it at least works. Maybe tonight or Sunday I’ll see if I can refine it a bit.

Also, Microsoft has come to their senses and announced that IE8, when encountering a web page that says it was developed for standards, will actually treat it that way instead of treating it as a page that was designed for IE7. This is a much saner approach to the version targeting scheme, which as previously announced would have (depending on developer response) either frozen IE in place or forced us to go through the same process all over again next time.

The ISC reminds us that IE7 will be pushed out to WSUS next week, which should help get rid of IE6. Yeah, I’d rather more people switched to Firefox or Opera, but I’m at the point where I’d love to be able to stop worrying about IE6’s shortcomings when trying to build sites. IE7’s shortcomings are much easier to work around. (Sorry to keep harping on this!)

The inventor of Norton Antivirus talks about computer security and has some rather interesting ideas on what policies are worth pursuing…and what policies aren’t. Long passwords? Great for protecting a stand-alone machine, but on a 10,000 machine network, they only need to crack one. Patch everything? Not every vulnerability gets exploited. I’ll have to read the Slashdot thread when I have time; that should be really *ahem* interesting.