Should the library detect Firefox and not set an user-agent automatically?

[qgustavor]

The library sets an user-agent so MEGA admins can know when someone is using this library and alert when they find vulnerabilities on it, like when I reported them about a client using all zero keys and, using the user-agent, they could find which client was.

It's not an issue in most cases except in Firefox. The reason is that it allows client-side JavaScript to change the user-agent header, so, because CORS, MEGA servers would need to whitelist this header, as they don't whitelist it, Firefox blocks connections. The documented workaround is just setting userAgent to null when deploying to a browser. That's really easy to do and I don't know why people don't read the documentation.

To avoid people talking about it again I propose the following: detect Firefox.

To be fair, that's dumb. The workaround is easy, Firefox could simply follow other browsers and stop client-side JavaScript from overriding the user-agent (which is weird) or MEGA can whitelist the header. Also browser detection, like trying to detect SpiderMonkey specific behavior (like new Error().stack.startsWith('@')), is quite wacky: many of browser detection techniques in this website don't work anymore (even those that are said to work). Even using globalThis?.navigator?.userAgent?.includes('Firefox') is tricky considering current trend related to browser user-agents.

One other option is finding another way to communicate MEGA about which library version is being used. Except that I already asked them about that and I didn't get a proper answer for that.

If someone could reliably detect when a browser allows setting an user-agent when fetching without doing a fetch, that's an option.

[qgustavor]

I was working with the library recently and noticed that some user-agents change MEGA server's behavior in a way to cause bugs. I guess MEGA's team is using user-agent to make their servers keep working with third-party clients with unusual behaviors and, if you mistakenly name your app as one of those applications, you get affected too.

Maybe the best solution is changing user-agent behavior from being opt-in instead of opt-out.

[qgustavor]

It detects Firefox and doesn't set an user-agent.