lib: add navigator.userAgent

[anonrig]

Follow-up for #47769

cc @nodejs/tsc

[github-actions]

The notable-change PRs with changes that should be highlighted in changelogs. label has been added by @anonrig.

Please suggest a text for the release notes if you'd like to include a more detailed summary, then proceed to update the PR description with the text or a link to the notable change suggested text comment.

[aduh95]

Two questions:

• Why is that semver-major?
• How is it relevant for Node.js?

[anonrig]

Two questions:

• Why is that semver-major?

Some packages might depend on navigator.userAgent to detect if it's not Node.js or not. I don't want to introduce breaking change.

• How is it relevant for Node.js?

navigator.userAgent is included in WINTERCG Minimum Common Web Platform API - https://common-min-api.proposal.wintercg.org

[meyfa]

The default value contained in this PR is currently different from the value used in native fetch, see: nodejs/undici#2306

There is also some discussion about not including the version number that may be of relevance here.

I think if Node.js exposes a user agent in multiple places, it needs to be the same everywhere.

[KhafraDev]

the version should be removed, so either "node.js" or "node". Undici uses "node" so that would make our lives easier (the fetch user-agent and navigator user-agent seem like they should be equal, although I'm not entirely sure).

[anonrig]

the version should be removed, so either "node.js" or "node". Undici uses "node" so that would make our lives easier (the fetch user-agent and navigator user-agent seem like they should be equal, although I'm not entirely sure).

Referencing WINTERCG, it's recommended to have a product version with the user agent. I'm more in favor of having the version:

User-Agent      = product *( RWS ( product / comment ) )
product         = token ["/" product-version]
product-version = token

[KhafraDev]

There are legitimate security concerns by adding the node version, maybe something like what Chrome is doing would be acceptable? If you don't want to click that they're replacing minor version numbers with zeros (ie. v20.1.1 -> v20.0.0). Is there any discussion about why a version number is required?

[Uzlopak]

I thought about the version.

I am +1 for adding the version.

First of all, the userAgent is in browsers used for requests. We dont expose the version via a http request nor via a http response. Browsers expose this information with their version via request and they dont consider it as a security issue. If it would be a security issue chrome, safari and co would have removed the version information long time ago.

Also comparing to deno and bun, they also expose the version.

So I am 100% hoping that the version gets exposed.

[GeoffreyBooth]

Browsers expose this information with their version via request and they dont consider it as a security issue.

Actually Chrome only exposes the major version; they consider exposing the minor/patch versions to be a security concern. See the Chrome/118.0.0.0 in the example above. All of the Chrome 118.x versions return 118.0.0.0 as the version.

But we can do the same, it’s better than not including a version.

[KhafraDev]

Chrome did limit it, from the link I posted above:

From Chrome 101 we replaced the minor version number with zeros, e.g. Chrome/101.3.2.1 became Chrome/101.0.0.0.

Firefox also limits some information (windows & macOS versions are capped at 10 and 10.15 respectively, and some architectures don't include any information in their user-agent header). (Source) I'd assume they have plans to limit it further.

[KhafraDev]

But we can do the same, it’s better than not including a version.

Yep, this was my proposed alternative.

[anonrig]

I'll update the PR with the proposed change.

[GeoffreyBooth]

This isn’t semver-major, the semver-major change was adding navigator in the first place. Now that navigator exists we should add all the properties people expect on it.

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/55058/

[Uzlopak]

RSLGTM

[styfle]

the fetch user-agent and navigator user-agent seem like they should be equal

💯 agree!

Also something to consider: it looks like there is existing code out there that looks for Node.js string matching.

For example:

• consider userAgent missing flexdinesh/browser-or-node#25

[mcollina]

lgtm

[nodejs-github-bot]

Landed in 05a7810

[Ethan-Arrowood]

I really think the user-agent keys should match #50200 (comment)

Can we update it ?

[KhafraDev]

honestly i'm starting to question the benefit of having navigator whatsoever. I think there should be an agreement on if node should even have it before it's changed again.