Comments on: Sorry, your HTTP headers are incomplete http://blog.trasatti.it/2009/04/sorry-your-http-headers-are-incomplete.html Fri, 10 Jun 2011 13:15:34 +0000 hourly 1 http://wordpress.org/?v=3.1.3 By: Brenda http://blog.trasatti.it/2009/04/sorry-your-http-headers-are-incomplete.html#comment-35 Brenda Mon, 27 Apr 2009 22:00:00 +0000 http://blog.trasatti.it/?p=421#comment-35 did they spell origin correctly? did they spell origin correctly?

]]> By: Peter J. Cranstone http://blog.trasatti.it/2009/04/sorry-your-http-headers-are-incomplete.html#comment-33 Peter J. Cranstone Tue, 21 Apr 2009 23:09:00 +0000 http://blog.trasatti.it/?p=421#comment-33 Hi Andrea,<br /><br />You wrote "As things stand, in the mobile world, we hardly have any access, from the server to the capabilities of the device".<br /><br />In a few weeks I hope you will be able to change your opinion. Right now we're able to send any device capability to the server. On Windows Mobile you can access ANY device side data from inside the browser using JavaScript - On Blackberry we simply send you the data via the outgoing HTTP request headers.<br /><br />Totally agree with you on BONDI. It's years away from being able to do anything. You could try Google Gears, (doesn't work on BB) but they still can't do what you need.<br /><br />The problem is really simple to define - the server needs to know more about the device and terminal capabilities of the mobile device "in real time". Apart from writing a full blown mobile app to send that data via a socket the ONLY other way to do it is via the browser.<br /><br />I'll be interested to see what you think of 5o9Me when we release it. I think you're going to be surprised at what you can see. <br /><br />Only dependency is that it works on either BB or WM and requires that you use the default browser (which is also free)<br /><br />Cheers,<br /><br />Peter Hi Andrea,

You wrote “As things stand, in the mobile world, we hardly have any access, from the server to the capabilities of the device”.

In a few weeks I hope you will be able to change your opinion. Right now we’re able to send any device capability to the server. On Windows Mobile you can access ANY device side data from inside the browser using JavaScript – On Blackberry we simply send you the data via the outgoing HTTP request headers.

Totally agree with you on BONDI. It’s years away from being able to do anything. You could try Google Gears, (doesn’t work on BB) but they still can’t do what you need.

The problem is really simple to define – the server needs to know more about the device and terminal capabilities of the mobile device “in real time”. Apart from writing a full blown mobile app to send that data via a socket the ONLY other way to do it is via the browser.

I’ll be interested to see what you think of 5o9Me when we release it. I think you’re going to be surprised at what you can see.

Only dependency is that it works on either BB or WM and requires that you use the default browser (which is also free)

Cheers,

Peter

]]> By: Andrea Trasatti http://blog.trasatti.it/2009/04/sorry-your-http-headers-are-incomplete.html#comment-32 Andrea Trasatti Tue, 21 Apr 2009 22:49:01 +0000 http://blog.trasatti.it/?p=421#comment-32 Jon Arne,<br />this is <b>my</b> blog not dotMobi's so here are only my views that will often also be the same as dotMobi, but not necessarily.<br /><br />On to your questions, I can only agree partly with you.<br /><br />UAProf was born to describe the "User-Agent" so that should be only about the browser. We all know that up until 1-2 years ago the browser was actually <b>PART</b> of the device so even though probably not perfect it made sense to ALSO describe the device.<br /><br />I agree with you that it is appropriate for the User-Agent string to describe the User-Agent only (i.e. the browser), <i>in a perfect world</i>.<br />As things stand, in the mobile world, we hardly have any access, from the server to the capabilities of the device. In the PC/Windows/Linux/Mac world we have access to those details via Javascript and we know that computers will be able to handle plugins and "strange" contents very well. In the mobile world it's not like that and even the iPhone that is usually considered the best you can get is actually very poor to deal with contents that are not video and MP3. We need an alternative and today it does not exist. <a HREF="http://bondi.omtp.org/" REL="nofollow" rel="nofollow">BONDI</a> could be an alternative, but it is still far from coming, I mean we are talking about 1-2 years from now (and that will only happen for high end devices initially, so mainstream is a few years)!<br /><br />I think this is a complex topic and needs careful thinking, but let's just say that today, I would rather keep everything that was there and add something instead of replacing. So if I was developing a new device with a powerful browser that supports BONDI and lets the server interact with the GPS and contacts, etc, I would still provide the UAProf <b>AND</b> provide access to the new stuff. You can't just drop stuff in one device and expect that it works and that everyone implements and supports new features. Jon Arne,
this is my blog not dotMobi’s so here are only my views that will often also be the same as dotMobi, but not necessarily.

On to your questions, I can only agree partly with you.

UAProf was born to describe the “User-Agent” so that should be only about the browser. We all know that up until 1-2 years ago the browser was actually PART of the device so even though probably not perfect it made sense to ALSO describe the device.

I agree with you that it is appropriate for the User-Agent string to describe the User-Agent only (i.e. the browser), in a perfect world.
As things stand, in the mobile world, we hardly have any access, from the server to the capabilities of the device. In the PC/Windows/Linux/Mac world we have access to those details via Javascript and we know that computers will be able to handle plugins and “strange” contents very well. In the mobile world it’s not like that and even the iPhone that is usually considered the best you can get is actually very poor to deal with contents that are not video and MP3. We need an alternative and today it does not exist. BONDI could be an alternative, but it is still far from coming, I mean we are talking about 1-2 years from now (and that will only happen for high end devices initially, so mainstream is a few years)!

I think this is a complex topic and needs careful thinking, but let’s just say that today, I would rather keep everything that was there and add something instead of replacing. So if I was developing a new device with a powerful browser that supports BONDI and lets the server interact with the GPS and contacts, etc, I would still provide the UAProf AND provide access to the new stuff. You can’t just drop stuff in one device and expect that it works and that everyone implements and supports new features.

]]> By: jon arne sæterås http://blog.trasatti.it/2009/04/sorry-your-http-headers-are-incomplete.html#comment-31 jon arne sæterås Tue, 21 Apr 2009 19:10:00 +0000 http://blog.trasatti.it/?p=421#comment-31 Andrea, I have seen this trend as well and, as most of us, I wonder what the future will bring. My guess is that we are facing the challenge of a new dimension; The device as the old well known dimension, and the browser as the new. I guess we will see UA stings identifying the browser, and not the device. A great example is "Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Smartphone; 240x320)" which is the user agent of both HTC startrek and HTC Tornado. Makes sense, kind of... why should the browser report what kind of device it is running on? You dont see that in the desktop world. You also mention the UA profile. But what should be the contents of the profile? the profile of the browser or the device? The name implies that it is the profile of the UA, that is the browser in my previous example. Then this headerfield is useless as well... :( Opera Mini has solved this by addingpropriatory header fields. Whats your(and dotmobis) thoughts? Andrea, I have seen this trend as well and, as most of us, I wonder what the future will bring. My guess is that we are facing the challenge of a new dimension; The device as the old well known dimension, and the browser as the new. I guess we will see UA stings identifying the browser, and not the device. A great example is “Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Smartphone; 240×320)” which is the user agent of both HTC startrek and HTC Tornado. Makes sense, kind of… why should the browser report what kind of device it is running on? You dont see that in the desktop world. You also mention the UA profile. But what should be the contents of the profile? the profile of the browser or the device? The name implies that it is the profile of the UA, that is the browser in my previous example. Then this headerfield is useless as well… :( Opera Mini has solved this by addingpropriatory header fields. Whats your(and dotmobis) thoughts?

]]> By: Peter J. Cranstone http://blog.trasatti.it/2009/04/sorry-your-http-headers-are-incomplete.html#comment-30 Peter J. Cranstone Tue, 21 Apr 2009 14:29:00 +0000 http://blog.trasatti.it/?p=421#comment-30 Hi Andrea,<br /><br />I know how much you like headers so I thought I would post a link to some really cool headers. You will know exactly what they are when you see them. You will also know exactly what it means you can now do if you can see them.<br /><br />Enjoy. Here's the link: http://petercranstone.blogspot.com/2009/04/whats-in-your-http-headers.html<br /><br />Cheers,<br /><br /><br />Peter Hi Andrea,

I know how much you like headers so I thought I would post a link to some really cool headers. You will know exactly what they are when you see them. You will also know exactly what it means you can now do if you can see them.

Enjoy. Here’s the link: http://petercranstone.blogspot.com/2009/04/whats-in-your-http-headers.html

Cheers,

Peter

]]> By: Paschal http://blog.trasatti.it/2009/04/sorry-your-http-headers-are-incomplete.html#comment-29 Paschal Tue, 21 Apr 2009 12:59:00 +0000 http://blog.trasatti.it/?p=421#comment-29 It was new to me before last night!<br /><br />I'm with you on the Meh though. The kind of developers that are aware of these obscure new headers are the kind of people who develop sites which are not vulnerable to CSRF attacks in the first place. It was new to me before last night!

I’m with you on the Meh though. The kind of developers that are aware of these obscure new headers are the kind of people who develop sites which are not vulnerable to CSRF attacks in the first place.

]]> By: Peter J. Cranstone http://blog.trasatti.it/2009/04/sorry-your-http-headers-are-incomplete.html#comment-28 Peter J. Cranstone Tue, 21 Apr 2009 12:55:00 +0000 http://blog.trasatti.it/?p=421#comment-28 Andrea,<br /><br />Great post. Like you we believe in the power of headers. So we're going to do something about it. In June we're releasing a product for Windows Mobile & Blackberry into the public domain. It will allow you to add ANY header you want to the outgoing request header. In addition it will come with it's own set of standard headers. If you have a GPS on board your mobile device you can chose an option that will automatically include that data as you navigate to a web site.<br /><br />You shouldn't have to link to any external site when it comes to DEVCAP and TERMCAP - the device should tell you in real time what it's capable of doing. And if it doesn't then there should be a way of adding your own data to the outgoing request headers.<br /><br />We've solved that problem.<br /><br />Local GPS enabled search anyone?<br /><br />Cheers,<br /><br />Peter Andrea,

Great post. Like you we believe in the power of headers. So we're going to do something about it. In June we're releasing a product for Windows Mobile & Blackberry into the public domain. It will allow you to add ANY header you want to the outgoing request header. In addition it will come with it's own set of standard headers. If you have a GPS on board your mobile device you can chose an option that will automatically include that data as you navigate to a web site.

You shouldn't have to link to any external site when it comes to DEVCAP and TERMCAP – the device should tell you in real time what it's capable of doing. And if it doesn't then there should be a way of adding your own data to the outgoing request headers.

We've solved that problem.

Local GPS enabled search anyone?

Cheers,

Peter

]]> By: Andrea Trasatti http://blog.trasatti.it/2009/04/sorry-your-http-headers-are-incomplete.html#comment-27 Andrea Trasatti Tue, 21 Apr 2009 10:59:45 +0000 http://blog.trasatti.it/?p=421#comment-27 Meh, this is security paranoia, but thank you for the links Paschal, I just learnt something new. Meh, this is security paranoia, but thank you for the links Paschal, I just learnt something new.

]]> By: Paschal http://blog.trasatti.it/2009/04/sorry-your-http-headers-are-incomplete.html#comment-26 Paschal Mon, 20 Apr 2009 23:15:00 +0000 http://blog.trasatti.it/?p=421#comment-26 Well not <b>EXACTLY</b> the same<br /><br /><a HREF="http://people.mozilla.org/~bsterne/content-security-policy/origin-header-proposal.html" REL="nofollow" rel="nofollow">http://people.mozilla.org/~bsterne/content-security-policy/origin-header-proposal.html</a><a HREF="http://www.ietf.org/internet-drafts/draft-abarth-origin-00.txt" REL="nofollow" rel="nofollow">http://www.ietf.org/internet-drafts/draft-abarth-origin-00.txt</a> Well not EXACTLY the same

http://people.mozilla.org/~bsterne/content-security-policy/origin-header-proposal.htmlhttp://www.ietf.org/internet-drafts/draft-abarth-origin-00.txt

]]>