The other side of the moon

[philiptellis] /bb|[^b]{2}/
Never stop Grokking


Wednesday, October 13, 2010

What's a browser? — the developer edition

Nicholas Zakas has a great writeup explaining a web browser to non-technical people. I thought I'd take this opportunity to explain what a web browser is to web developers.

At the heart of it, a web browser is two things. It is a program that can communicate with a web server using the HTTP protocol, and it is a program that can render HTML and other associated content types... except that it might not care to. As web developers looking out at the world through the window of a TCP socket on port 80, all we see is an agent on the other end issuing GET and POST requests. What it does with our responses, we don't really know. We do our best to cater to what we can identify. We look at user-agent strings to build statistics of the kinds of browsers that visit our site, and we use JavaScript to detect capabilities that we can use to enhance the experience that we deliver, but what if that JavaScript were never executed and the user-agent string were a lie?

No, at the heart of it, a web browser is just one thing — an HTTP client.

Built upon this HTTP client could be various entities. A real web rendering engine, a crawling bot, an audio browser, a web service client, or a script kiddie using curl. While it may be impossible to know of all possible entities on the other end, as web developers, we must build applications that are prepared to deal with anything.

We use progressive enhancement to create an engaging experience for genuine users of our site regardless of the capabilities of the user agent they use. We validate everything that comes in over that HTTP connection to prevent the destruction or degradation of our service either by malice or accident, and we trust nothing that comes in from the other end. Not the POST data, not the query string, not the cookies, not the request time, and certainly not the user agent string.

Do we assume our users are the kind that Nicholas describes or do we assume that they're all out to destroy us, or perhaps somewhere in between? The reality is that we have to build our sites for all of them. Start with HTTP and progressively enhance from there.
Posted by Philip at 00:58
Labels: , , , , ,

3 comments :

Skan
October 13, 2010 3:47 AM

From what I can understand, what you say in your article is: you can have no expectations of a client.

Well, I agree up to a point, but what you need to consider is standards. So, for example, the client says ‘I'm able to understand HTML5’. And from that point on, you can and you should expect the client to be able to process your response correctly, accordingly to the standard. If it doesn't, then it's not your fault and obviously not your problem.

Anonymous
October 13, 2010 10:39 AM

@Skan I don't think users and business care who's problem it is - stuff must work regardless.

Philip
October 13, 2010 12:29 PM

@Skan, my point is that it could be a malicious user on the other end using curl or a script that they wrote, but pretending to understand HTML5 so that you'll send them certain features. They'll then send you a crafted request to try and compromise your service.

Right at the bottom layer (the HTTP layer), you need to make sure you deal with this. At layers above this (HTML, CSS, Javascript, Ajax), you can do client side capabilities detection to enhance user experience.

Post a Comment

...===...