Email or username:

Password:

Forgot your password?
Michael Downey 🚩

Dear devs,

It's NEVER ok to lock people out of a webapp because their User-Agent doesn't match your predefined list. 😡

Especially webapps they need to manage their healthcare.

(I am in fact using one of the browsers on this list, your code just isn't able to tell.)

:boost_love: Please boost for basic education.

#webdev

Red CVS pharmacy logo, an icon of a UI window, then the text:

It appears you may be using a browser that is out of date.

For the best experience, please switch to an up-to-date browser like Microsoft Edge, Google Chrome, Firefox or Safari.
157 comments
kitsune

@downey instead of flat out locking people out, it should be standard to instead have "It appears you're using an unsupported browser, use firefox chrome blah blah blah, click here to proceed anyway, some elements may not appear or work correctly"

Michael Downey 🚩

@kitsune

💯

I don't mind a disclaimer or reminder.

But this is an anti-pattern I've seen start to creep up on several web sites lately.

DELETED

@downey @kitsune 1996: "You can't see this website, you don't have a kewl browser, upgrade to Netscape v1.π today"

2023: "You can't see this website, you have a stale icky browser, upgrade to advanced adware today"

rus

@dpnash @downey @kitsune there was also a period of time when you had a *more* advanced browser, say Netscape 3, and you'd get the same error as some of those pages looked for specific matches.

Brett Sheffield (he/him)

@kitsune @downey A competent web dev would test for browser features. There is never a good reason to look at the User-Agent string.

Hanneke

@dentangle @kitsune @downey A competent dev *with enough budget*. But they should never lock one out though.

Dasy2k1

@dentangle @kitsune @downey

Although warning if they are using ie7 or earlier that you can't guarantee that your layout isn't completely janky on browsers that are not standards compliant is fine

IzzyOnDroid ✅

@downey Especially "fun" if you update your router to the latest firmware – and it comes back online with such a "friendly hint" without any chance for you to get in again. Just tested for you…

(luckily I use a 5-browser-concept so I was able to get in with one of the others)

What can be so difficult with a simple web interface that it needs a specific browser?

Chris

@IzzyOnDroid @downey Just a heads-up; You can easily fake your user agent via extensions (to the point of pressing a button, followed by the browser).

There isn't a whole lot of things that aren't done easier in-browser, compared to using multiple ones nowadays.

IzzyOnDroid ✅

@christopherklay you can and I can, and I bet @downey can as well. But many users are simply lost at that point. Furthermore, if faking the agent does the trick, the blocker was entirely unnecessary.

And as for "using multiple ones": I do that for multiple reasons. One of them is "compartments" (yes I know "container tabs", but what's in different browsers is an entirely different beast).

Chris

@IzzyOnDroid @downey I completely agree that the blocker is pointless to begin with.

My point is mostly that simply having a user agent switcher installed that solves any of these issues down the line, is the easier solution compared to opening the page in a different browser every time it happens.

After all, the majority of people isn't running multiple ones, or is even logged in (if needed) in a second one.

Mo

@IzzyOnDroid
Which Browsers do you recommend?
I use Librewolf, Vivaldi, Ungoogled Chromium and Tor.

Guy Montag

@RealMo if I just want to read text, like in an article, I open it in Emacs's Eww mode. I avoid all the garbage and distractions, and can manipulate it however I like.

MysteriousBenji

@christopherklay @IzzyOnDroid @downey yeah. Although the trouble is that the people who probably have the greatest need of sites like this and also have a high likelihood of running “Unsupported” browsers probably aren’t the kind to poke around the dev menu

Niclas Hedhman

@downey I have also recently seen being refused because my browser blocks advertisements.

MJ Ray

@niclas @downey from a medical site? That must breach medical ethics, as I bet it blocks some screen readers.

DELETED

@mjr @niclas @downey it does because the company is being lazy and redirect you to the website not an actual application. This is where they illegally break the laws to collect data but it's very hard to prove it in courts because there is no way to get the source code without reason and by that time these companies will have collect over 50 million people data.

Amelia Bjornsdottir (she, they, he)
@downey I'm probably gonna experience this a bit by running NetSurf on my new thinkpad
Alex Volkov

I too, saw one of these warnings recently. I hoped the whole “best viewed with Internet Explorer” thing would die forever, but it keeps coming back.

Asta McCarthy

@downey "our website strickly follows well established webstandards, therefore we support any browser you like" should indeed be the proper atitude to webdevelopment.

casey is remote

@downey This.

I'm using #Blackboard for online classes, and #Waterfox isn't technically supported by #Blackboard. I get notifications...but that's it, it still lets me use the site.

I have #Brave installed only as a last resort, for compatibility reasons

𒀭Ralf Muschall🐙-

@downey It isn't that easy, particularly in medical applications. An "out-of-date browser" error message usually means that the browser is so very old that there is no common encryption algorithm between the server and the browser (the latter only supporting encryptions which are known to be broken).

I've recently seen the opposite problem: a printserver from 2019 that couldn't be configured using recent firefox. I had to go to about:config and downgrade security.tls.version.fallback.limit and security.version.min

@downey It isn't that easy, particularly in medical applications. An "out-of-date browser" error message usually means that the browser is so very old that there is no common encryption algorithm between the server and the browser (the latter only supporting encryptions which are known to be broken).

Hans Hammer

@ralf_muschall @downey This might be a valid reason. But then they should list which feature is not supported, why it is absolute necessary (like you mention e.g. encryption in health care or banking) and which versions of the mentioned browsers are supported.

always tired (moved to chaos)

@ralf_muschall @downey If there's a tls setup error (because the server is set up to stricter settings), the server obviously can't serve "the browser is too old" either. So that can't be it.

Yuki 膤 :heart_trans:​

@downey This is exactly why every decent browser claim they're Mozilla since the 90s and everyone keeps adding and spoofing each other

but no, tech support don't want to tell a user with a browser they don't know how to clear their cache even though it tells them it works exactly like Google Chrome, with the side effect they ruin it for everyone who legitimately want to use the user-agent string, starting a cat and mouse game with browser vendors who want their browser to be as accessible as any major one

DELETED

@downey And how many trackers are on this website?

Keith J Grant

@downey Most weeks I have to check the city website to see if it's a recycle pickup week... I spent the first five seconds looking at a loading spinner that says "Checking your browser..."

What's to check!? I literally just need to you show me an "A" or a "B"

Steven Molnar

@keithjgrant @downey They can also make it very difficult to pay a utility bill. What's the worst that could happen? Someone hacks my account and pays my bill? I'm trying to give them money, not take it.

DELETED

@downey Every time this happens I go and clear my cache and then it works fine. Try that. Good luck.

nhOmega

@downey even worse: This website only works in Chrome.

Can we get rid of this stupidity.

And yes user-agent is the worst possible way to check what someone is using.

If you need a specific feature - check for that feature and then inform the person WHY a different browser might be needed.

Yancy Burns

@downey @ruskie Please use ie6, as your browser doesn’t support Flash player 4.

Purplepegasus

@ruskie @downey Exactly! I thought good web development meant you were supposed to make things more accessible, not less!

Arbiter Albi

@ruskie @downey

> This website only works in Chrome.

oooooh I hate that!!

joe

@downey I don't think the devs made this decision.

Hollis

@Smokinjoe Thank you. Former healthcare webdev. Former. There are ...reasons.

Tröglödÿt

@Smokinjoe

'i just followed orders' isn't the nice excuse you expect it to be

@downey

joe

@troglodyt @downey Are you seriously comparing an engineer listening to their manager to literal fucking genocide?

Tröglödÿt

@Smokinjoe

no, but obviously you find the principle behind your suggestion quite distasteful in light of modern history

maybe remove the suggestion then

@downey

joe

@downey @troglodyt I'd be more than happy to - not sure *where* that conversation was supposed to go.

Tröglödÿt

@Smokinjoe

probably to you explaining whether you'd go nuremberg trials on facebook employees facilitating genocidal processes in myanmar

Julia :verified_trans:

@downey@floss.social I make one exception, which is when the user agent matches microsoft internet explorer

✨メッツォ✨ :sabakan: :mastodont:

@downey
> “It appears you may be using a browser that is out of date.”
> admits the statement may be incorrect
> still locks you out 100% of the time
> :blobcatJustRight:​

RommelRico

@downey Happens to me sometimes with Firefox Developer Edition.

infinite_loopy

@downey My trash company blocks me from paying my bill because I use firefox ESR, which reports a version number they don't like. They refuse to change it despite their insistence that they would "pass on this feedback to the IT team"

scrottie (he/him/they)

@infinite_loopy @downey Came here for this... Long Term Support/Extended Support Release versions still getting security updates are not "out of date" and often companies *avoid* the absolute latest versions of things as security problems are frequently introduced in the latest version and then fixed later. People scour commit logs for security problems introduced in new commits and diff binaries for new code.

Kevin Russell

@downey

Devs do as they are told, 50 years now.
Lotus 123 was the revolution in apps, bringing computing to any business.

It wasnt Microsoft's, so the rule for DOS devs was made. The Corporate app. rule.

DOS ISN'T DONE
UNTIL LOTUS WON'T RUN
Sasha

@downey software made for the medical industry is the worst

Inken Paper

@ferrata @downey i have a friend who quit doing medical software coding because of the stress that his code could inadvertently kill someone.

Lutrulo

@downey Web devs on their way to making an almost universally cross-platform medium arbitrarily locked down:

vandys

@downey And web devs, PLEASE don't grab at every shiny new thing and stuff it into your web site. I know it makes you feel cool, but we're all getting tired of the frenzied death march into bleeding edge browser quality.

osfanbuff63 :blobfoxfloofcofe:​

@downey Not supporting super old browsers is one thing, totally blocking User-Agents that don't meet a certain list is another...

hey at least they list firefox :blobfox3c:

MaybeMyMonkeys

@downey reminds me when a project manager wanted to know why we couldn’t just make our customers use Internet Explorer.

William Conner

@downey I feel your pain. My bank has continuing issues with on line bill pay using one of the browsers they claim to support.

Atle Frenvik Sveen

@downey every time I see these I remember that I spent hours getting stuff to work in ie6. If I could get a webpage to work in ie6, webdevs of today can make their crap work in all chrome variations + Firefox

Sully1503

@downey Weird, when there’s effectively, three browsers: Chromium, Safari, and Firefox.

Dym Sohin

@sully1503 @downey sometimes its just a 3rd-party js file that has all the tests for compatibility – which cant load – due to strict mode or CORS misconfiguration or disabled JS, so this default placeholder is the only thing that is shown

Paul_IPv6

@downey

yes!

web devs who don't want to actually test any browser other than the chrome version so new the paint is still drying, with whatever shiny new toy in chrome they haven't gotten to use before, drives me nuts. some don't even bother to test safari/webkit, breaking anyone using an iphone/ipad.

do better...

Dym Sohin

@downey switching to desktop-mode on ios safari sometimes fixes this kind of nonsense

f4grx Sebastien (OLD ACCOUNT)

@downey for your list: doctolib in France denies me the right to book a medical appointment with firefox mobile 68, aka the last version that can save a webpage as pdf.

Stefan Scholl

@downey These things are very seldom the idea of developers.

Julien Martlet 🚲📚 🥗 📷 💻

@downey Interesting that some of those browsers have their company names mentioned before, while others don’t. Just sloppy wording I suppose, but still.

Faisal

@downey CVS’s web site its own special circle of hell. This is only a symptom. It has far worse problems once one opens the box.

DELETED

@downey a well-designed site using proper web standards should just work.

Maybe some things might not work as well, but it should degrade gracefully.

This feels like the devs are using a JS framework that doesn't work on older browsers and would otherwise just show a White Screen of Death.

cleatsandcode

@downey @ygalanter and what are the chances of that useragent sniffing is tested for accuracy when updated and not just looking for edge of the big four browsers?

Also the days of demanding any particular browser has gone now, unless it’s nightly features… lazy abandoned but too scary to remove from the repo?

JJ Celery

@downey the icon also looks like an oven so that doesn't help.

Steve

@downey I warned them this would happen when netscape navigator told me it didn't support tables

Ivan Sagalaev :flag_wbw:

@downey I think it's a lost cause by now… It's been more than two decades of web developers showing they care about control over final look and access to new APIs far more than of the idea of producing structured content and letting browsers do their job in whatever way those choose.

skpodila

@downey @josh this!! 100% this!! My biggest frustration was with @figma #figma who wouldn’t allow MSEdge!!

Orca🌻 | 🏴🏳️‍⚧️

@downey@floss.social Probably just to cover up the incompetent that they can't work out how to identify a browser without whitelisting certain UA. (Though it only resulted in more embarrasing)

Stéphane Calonnec🗿

@downey I do enjoy the oven icon to illustrate you're using an unsupported browser.

Remember to update your oven, you'll enjoy the website !! 😉

🏔️ owl 🌲

@downey I use the only browser that's accessible to me and websites hate it because it doesn't support WebMIDI or whatever.

Terri Morgan

@downey Small Bank with an outsourced dev team just did that to me.

TOTALLY Locked me out because they don't know how to manage security with forcing me to get a new Android phone? I can't upgrade the app -- it's not compatible with my phone and the bank won't let me use the browser on my phone to log in.

Naga

@downey Happy to boost. I am filled with rage at CVS today anyway.

lori

@downey same outside of the browser too. Don't tell me I can't download your software because I'm on Linux, there's ways I can still run it, or maybe I'm going to copy it to another machine!

Michael Downey 🚩

@lori agree but at least with those there is usually some fine print somewhere to get access to other builds...

theo⏚ ✅

@downey

Same thing happened to me last week.

My insurance company wouldn't let me pay what I owed them when using Firefox installed directly from the Debian repository. I could proceed with chromium... from the same repository.

Phantom Kitty (Tech)

@downey I've actually seen a website said that you must use only actual Google Chrome, Chromium was not allowed, nor was Firefox/Mozilla or Opera. I think the site only got paid for displaying ads when they were shown in Chrome and not in any other browser. Absolute stupidity in my opinion (I've been doing software testing for just under 30 years).

Kazii The Avali

@phantomkitty @downey i will never understand browsers like this. if your website doesnt support firefox then i probally dont need you.

Lord Matt ✔️✔️✔️✔️✔️

@downey We know enough to make a page work on all types of browsers, there is no excuse for devs doing that. They are doing it wrong.

Analog AI

@downey And if you are writing code that "might not run" on a user-agent, then don't write that code. The only thing a health care webapp needs to care about is security. If you can't add a fancy feature and support all user agents, then do the same thing with a simpler feature!

Elenna, Goo Girl

@downey I had this with webmail once. Turned out it happened because of a particular piece of JS I hadn't allowed, but it gave no indication of that (instead this shitty company tried to get me to install their own browser)

TSM at Work

I’m looking at you, Giant United States Bank Who Holds Some Debt For Me. You should really bloody know better. And p.s. let me use my chosen #2FA #TOTP application. Eight digit codes sent over SMS? Really? #rant

Jigme Datse

@downey This was a very bad idea when Firefox 3.5 came out... And had already been a bad idea at that point. You'd think in 14 years (if my math is correct) of "this is a bad idea" there would be like a sense that maybe webdevs would have learnt this. I'm getting really annoyed with it (Safari iOS is where I'm seeing it frequently).

PPN

@downey Dear Michael, it is almost never a dev’s choice. It is usually an inept person who is not dev yet makes the call.

Xavier Jacques Côté

@downey I do suspect some companies who got burned (or fears to be burned) by security/data breach had decided even the users should be up2date.

This or they don’t want to deal with the costs associated with supporting users who have an old machine/browser, where the results clould be not fonctionning properly. While blocking the browser user agents is not bullet proof, it’s good enough for the majority of the users, and way much cheaper to implement.

But I agree, it’s not great.

Hera [Ft. Dante from the Devil May Cry series]

@downey We should also normalize user agent spoofing, it’s laughable that it’s seen as anything remotely unintended. It’s frequently necessary.

ay :verified: :verified:

@downey Microsoft does this on Bing. Changing the user agent using a Firefox extension unlocks both AI features and additional MS Rewards points with no weird issues

Badgerclops 🐀

@downey fun fact: All Linux desktop users are BARRED from using the Cox Contour/Xfinity X1 on demand site as well as Peacock.tv.

CubeOfCheese

@downey Not an essential service but snapchat for web purposefully doesn't support firefox and it's really annoying

Proxfox Virtual Environment 🦊

@downey @nyangogo and don't do it to make it seem like the built in browser is any way inferior to yours (cough cough, Google)

:blahaj: Why Not Zoidberg? 🦑

@downey to be fair supporting say IE is a very bad idea since it cannot be secure.

Matt Franz

@downey Devs were probably just "following orders" from security or compliance. 😼​

xsspup :blobhaj_hearttrans:

@downey it's also super frustrating to see/use cvs services from overseas (eg preparing for a trip to the US) or connected to VPN

Screenshot of error page.

CVS.com® is not available to customers or patients who are located outside of the United States or U.S. territories. We apologize for any inconvenience.
Max

@downey Had the same nonsense with our national tax agency when I needed to give my wife permission to get my info. The process involves DigID, our national identification platform, which has a web interface and apps for Android and iOS.

The tax agency give you a link to follow, but that only works on mobile (because of course it does, even though there's no technical need for it), and then only in a handful of browsers (of which Samsung Internet isn't one). So I have to copy and paste that URL into Chrome, like a caveman, have it kick off the identification through the app, which redirects me to my default browser, still Samsung Internet, but now it's suddenly OK and the permission is granted.

Maddening. Several hurdles that have no real use.

@downey Had the same nonsense with our national tax agency when I needed to give my wife permission to get my info. The process involves DigID, our national identification platform, which has a web interface and apps for Android and iOS.

The tax agency give you a link to follow, but that only works on mobile (because of course it does, even though there's no technical need for it), and then only in a handful of browsers (of which Samsung Internet isn't one). So I have to copy and paste that URL into...

💉😷🌿Oiselarius (he/him)

@downey @pawsplay I’m running into this with devices too. Yes my blood pressure cuff is about 8 years old and since then Apple has discontinued the lightning connection. But does that mean you stop making apps compatible with the latest iOS, forcing people to buy a new device? And this isn’t the only device I have that was but is no longer compatible with MacOS and iOS or healthcare providers not accepting Applehealth data. It’s terrible.

Michael Downey 🚩

@Oiselarius @pawsplay

Our city government and some of our publicly-owned entertainment venues are starting to do the same.

TechieNotNetie

@downey Unfortunately the User Agent String is not the only method bad sites can use to block your browser.

The new "kid" on the block is the Client Hints Sec-CH-UA header (and corresponding JS APIs). I have seen one site exclude "unsupported browsers" and suspect another 3+, including a bank, of abusing the header, but can't test since if they are doing it, they are blocking after login.

For more about this, please see my article vivaldi.com/blog/technology/cl

silver

@TechieNotNetie @downey this is fascinating, thank you. i have actually started seeing that error as well despite using a fully updated firefox; i suspected it was my scriptblocker for some reason and can only assume from your comment that i was right. interesting but frustrating.

Jernej Simončič �

@downey This is one of the reasons @Vivaldi browser stopped identifying itself in User-agent.

Jon Brown

@downey @andyfragen same with blocking all traffic from a VPN or a outside the US IP. Both things my health insurance portal does.

Pixel Doge

@downey there was at some point a proposal to completely remove User-Agent strings from HTTP requests, but it was planned after UA Client Hints would ship... Which is kind of the same crap, but structured, so easier to fingerprint and abuse. Now guess which entity with monopolistic practices made the proposal.

A lawful good proposal would be to freeze UA strings, without putting the information elsewhere.

Riedler

@downey I'm more and more inclined to add a popup like that for chrom(ium) users on riedler.wien/

"Looks like you're using an unsupported browser. Download Firefox or click [here] to continue anyway"

Derek Hansen

@downey I recently installed an extension that can spoof multiple browser and OS user agent strings. Recently switched to a Mac and it got worse with some sites showing different features because I am on a Mac.

motormouth demibro

@downey if you're not absolutely miserable i don't think you're really getting the full CVS experience...

Dirk Schoemakers

@downey What is your suggestion if you want to have an app that uses modern browser features?
Maintain a legacy version?
That leads to much higher costs, slower development and less motivated devs. Maintaining legacy code and trying to solve already solved problems is not the most wanted ticket on a board.

David Croyle

@downey Agreed. Had this happen the other day because Facebook was behind on its list of current Safari browsers after Apple rushed out a new version with an urgent security update. Talk about getting it backwards! Dumb dumb dumb.

Dirk Schoemakers

@downey I believe you have to find a compromise between accessibility and efficiency. And it highly depends on the user group you target. I think it is OK to lock out browsers older than 4+ years.
Showing hints for limited functionality is likely to fail bc users don't read them.

Montgomery Gator

@downey As a Firefox user, I also want to air my grievances with devs that only test with chromium browsers.

Far less common, but I still want to set your servers on fire.

Sparky 💡

@downey Even more "fun" if they check the browser version number... by looking at the first two digits, and then deny you entry because that browser just jumped from 99.something to 100.something.

Norman Wilson

@downey Also, if you ever ever ever check the User-Agent rather than just conforming to the HTML standard, you're either a controlling jerk or an incompetent jerk. Either way we shouldn't do business with jerks.

❓ucblockhead

@downey I browse a lot on an iPad and it is infuriating how often sites force me into some stupid mobile version, or want to force me into an app that does the same despite being on. a machine that is perfectly capable of showing the full browser UI

the best mosfet

@downey Same with ms teams on firefox. It can't create a video call unless you fake the user agent. But then it works fine???

ZahmbieND

@downey Occasionally there's a browser feature that is required for basic functionality of a web app, but you can almost always detect if it's missing from a few lines of javascript code, and only show the warning then.

Daughter of Rao

@downey And that they always lie in your face by saying "For the best experience"...

Same thing with accessing a cloudflare "protected" site via tor..
They lie in your face "checking you're human to make sure this connection is secure"... no, you're breaking the TLS connection open so you're actually making things more insecure and privacy invading!

LucifarGundam

@downey

Yet another example of the need to focus on making better software, rather than better hardware.

Go Up