Blocking user-agents in 3.50

Bartek z. shared this question 10 months ago
Answered

chg: blocking of fake user agents for all custom online maps
Is that the UA string set with <extraHeader> in providers.xml? Can you elaborate as to why?

Replies (1)

photo
1

Hello,

when I leave some not obvious aspects, the main one: "User-agent" based on Mozilla (not just) should identify the application that is making a request on the service. So my question > why not? Why should Locus Map hide its own identity and let web servers this, it is some kind of different app/web browser etc?

photo
1

Well, of course, any web client should identify itself. If Locus didn't send any UA or it was just something generic, then no problem here, by all means, go ahead and fix this.


But taking away a powerful and well established customization feature is just plain evil. Why do that?


edit:

I think one realistic reason for taking this away would be a Cease and Desist letter from some big company which has problems and big money to win a law suite you would want to avoid. That would be perfectly reasonable of you and understandable to not want to pick a fight. Buuut that would be a pity to loose access to a good source of satellite maps.

photo
1

Locus Map always set it's own user agent. Anyway custom maps over XML were able to set over => overwrite Locus Map user agent.

Why this feature was removed? I ask again > why should it be allowed? Why should Locus Map identify itself as for example "Firefox"? Give me please valid legal use-case.

photo
1

"legal"!? why, is it illegal somewhere?


First of all this is not law, it is not legally binding what is in user-agent. There is just technical specification what User-Agent header means and what to put there. The header was meant for analytics, auditing of HTTP protocol, not for manipulation for the content that is requested. Yet still there are services which change the user experience, what content is available and how this content is available based on User-Agent.

In the link you included it is pointed out that /ae29a5f7d4b5372684fd9d1aaac04129

A valid use case, to leave user-agent customization in (and why this is also valid for all browser extensions that do this, why browser developer tools allow this) is that content providers still tend to identify browser (device) capabilities by UA strings and offer different representations for different browsers under assumption that it's the best representation this specific browser (and perhaps this specific device can support). This is an obsolete technique and can cause the web experience to be actually worst due to such browser detection.

Imagine you have a source of tiles created in older days, when such browser detection was a thing. The service is still alive, perfectly free, open - "legal" as you want - but because it does not recognize "Locus Map" string it will send over some obscure image format that just a most basic WAP browser would support. Because no one no longer maintains the service or the UA-profile library that service depends on is long outdated.

On the other hand if a service generally open to public and is based on an open standard, but it is limited by the user-agent. Is that "legal"? I say it isn't. If the access should be limited, there are more mature way to do it.


But i believe that if you make something publicly available on the internet, this should be equally available to all browsers, devices or anything actually. Just the same way as a public service - loundry, groceries is legally required to be equally available to everyone - no matter the color of your eyes or hair...

photo
1

But instead of why I need to prove it's legal, I would love to hear, why do you think it's illegal and why only just now this became an issue.


Because the way i see this for the moment, is that for no apparent reason, you spent some time to change something that was otherwise a perfectly good and innocent feature (innocent as in "guns don't kill people - people kill people").

photo
1

"Illegal" > good point. Too tough word - so we may better use "inappropriate".

I'm well aware that some older web pages serve different content based on UA. This is usually not a case of map servers. Here a problem is different. They usually serve content to all web browsers/apps, but in case of any problem, they block clients just based on the user agent.

This happened to us a few times already. The app was for some time blocked on the main OpenStreetMap server, also on the ArcGis servers and now we have problems on another OpenStreetMap based server, where few users suck this server hidden behind Firefox UA.

I understand your point, but I also perfectly understand the server-side point. In case of any over-use of map server, it is best to identify easily client that does this. And it is sometimes a problem.

Locus Map internally already blocks few custom maps for some web addresses (hardcoded in the app - owners directly contacted us) and I would like to change the way it works. So, if you have any web map server, that may be used but does not work with a valid Locus Map user agent, simply write me (you or any other user) and I'll really gladly whitelist this map server in the app.

I hope my thoughts make sense and my explanation is clear. Thanks for understanding and sorry if this change complicates your app usage, even if you respect map server terms-of-use.

Menion

photo
1

Hi Menion,

Thank you for explaining your reasons. I also perfectly understand the reasoning of service providers too, and that allowing them to identify the client is the appropriate thing to do. This is something that should be done by default anyway. Under normal and fair usage conditions.

But at the same time, I feel that having existing option removed or limited may leave us at disadvantage once a service provider decides to just lock out Locus Map. Like in an extreme case where someone is spoofing LM UA on his own custom http client, to pull the tiles pretending to be Locus Map. There will be no easy way around this, because that customization option no longer works. I mean if you lock this for your users, it won't stop anyone else from using your UA from breaking the service for others.


That said, I think this thread can be closed.


And I did install the latest version and found no issues with the satellite maps I like to have handy in LM. I honestly don't know if it is the use they have in their ToS (I have their dedicated app installed too, but I don't like to fire it up while outdoors, since it's resource heavy) but also I'm not mass downloading it - it is just sufficient for me to initially browse an area, then just use what's in the cache while I'm offline. I camp in the wild, which is already a violation of "ToS" here in Poland, so...

photo
1

Hello,

once you notice that any service provider block Locus Map, simply let us know, we will look at it. It has simple solution : communication between us and map provider. It usually works :).

You can't sleep in the wild? Ah, sorry to read it. So I violated Poland "ToS" last time as well ... shame :).

Enjoy snow and stay healthy!

Jiří M. aka Menion

photo
Leave a Comment
 
Attach a file