At the Mozilla Summit, there was a discussion on browser fingerprinting. After the initial talk given by the session leader, I made the first contribution from the floor; I said “we’re doomed!”.
People are currently arguing for a reduction in the specificity of the information the browser gives out regarding its own version identification (e.g. Gecko date, Gecko revision, Firefox sub-version level.) This information is present in (at least) two places – the User Agent, and various JS properties.
Jesse makes the point that there is a difference between server-side sniffing (done on the basis of the HTTP request) and client-side (done with the benefit of Flash, Java, JS properties and all the other client side info). If the sniffing is done client-side, you can at least see it’s going on by examining the code.
My point: there is no purpose in restricting the client-side availability of detailed version information.
Here’s why. That’s a list of the changes made from Firefox 3.6.5 to 3.6.7. All I have to do to differentiate between these two Firefox versions is to find one of those bugs whose difference in behaviour can be detected by a web page, and write a test. In fact, the Mozilla project may have already done so for me, because code checkins are supposed to come with tests which fail without the patch and pass with it.
There may be a case for restricting what we send to the server to allow it to do server-side sniffing, but there is no point at all in restricting client-side version information. The very nature of different versions means that it’s fairly easy to produce tests which give you exactly the same information.