user agent spoofing breaks paypal

[anarcat]

When using Paypal, even if I enable all resources in HTTPSB, the page loads then blanks out completely unless I disable user agent spoofing.

[gorhill]

Well if the site's behavior depends on the user agent string to be specific values, there is nothing HTTPSB can do. One thing to try is to stick to user agent strings which are close to the real one, i.e do not try to appear as a Firefox or IE browser, stick to user agent strings of Chromium-based browsers.

[ghost]

A similar thing can occur with referers.

I disable referer hiding on HTTPS, but I allow user agent spoofing, but all
the values look like legitimate Chrome values.

I recommend disabling that option and using "Referer Control", blocking all
refers unless an issue occurs, then making exceptions.

Maybe a similar addon exists for User-Agent?

On Friday, August 8, 2014, Raymond Hill notifications@github.com wrote:

Well if the site's behavior depends on the user agent string to be
specific values, there is nothing HTTPSB can do. One thing to try is to
stick to user agent strings which are close to the real one, i.e do not try
to appear as a Firefox or IE browser, stick to user agent strings of
Chromium-based browsers.

—
Reply to this email directly or view it on GitHub
#393 (comment)
.

[anarcat]

well, i wonder if it isn't that the UA changes during the "session" with paypal...

[gorhill]

What are the UA strings you currently use?

[gorhill]

The UA string can change during a session. I remember wondering whether I should store the UA for specific pages, and then decided against it. So if it's the source of the problem, I guess I will have to store and reuse it for a page. I think that would be reasonable given that the primary goal is to avoid tracking across many sites, and in any case, a new UA string would be used after leaving the site and coming back after a few minutes.

[gorhill]

I recommend disabling that option and using "Referer Control", blocking all refers unless an issue occurs, then making exceptions.

Not recommended to use another add-on which also modifies outbound or inbound headers, as only one extension is allowed to do so, which could undermine HTTPSB's ability to do its job (removing cookie headers, preventing inline javascript execution, etc.)

[ghost]

So far I haven't seem to run into the issue if I ensure only 1 extension
can modify one part of the header.

But yes, if I have User-Agent spoofing enabled (I don't, on ANY addon),
HTTPSB causes Tampermonkey to get errors for some reason because
Tampermonkey did something to the User-Agent somewhere for some reason that
I'm not aware of.

I only have Referer Control capable/enabled of editing Referer and so far
there has been no conflict.

The more I configure things, the less add-ons I'll have eventually, because
I've had DoNotTrackMe getting errored by Disconnect for too long, and
Disconnect is looking to soon get removed since I don't really need it.

On Friday, August 8, 2014, Raymond Hill notifications@github.com wrote:

I recommend disabling that option and using "Referer Control", blocking
all refers unless an issue occurs, then making exceptions.

Not recommended to use another addo-on which also modifies outbound or
inbound headers, as only one extension is allowed to do so, which could
undermine HTTPSB's ability to do its job (removing cookie headers,
preventing inline javascript execution, etc.)

—
Reply to this email directly or view it on GitHub
#393 (comment)
.