[fix] botdetection: check if the browser supports Sec-Fetch headers #4696
Conversation
deaf06b to
ce2cb8b
Compare
ce2cb8b to
399a31f
Compare
Bnyro
left a comment
There was a problem hiding this comment.
I think that some bots use Firefox user agents, so this should be helpful for such.
I'm not sure if the general impact is as good as with @return42's PR because many bots will probably use other user agents than the common ones (or rotate different ones) - we'll have to see how it performs in production.
|
@return42 could you try on your searxng instance please :)? |
|
@unixfox please give me some more time ..
I want to implement an option for the SearXNG admins to switch additional browser tests from 399a31f on or off ... |
|
What do you mean? I'm not following you. All the browsers in https://github.com/searxng/searxng/pull/4696/files#diff-ab6d5589d48207e72a940dbaa37d671093e2e1e7bc9849faed4e3163ed72a1e7R41-R76 match all the browsers that exist and support this Sec-Fetch headers. Firefox, Chrome, Safari. |
|
Sorry, I quoted the wrong paragraph 🤦 .. I fixed my comment above to:
|
Again I'm not following what you want to do. This is not clear whenever you want to implement an option to enable the feature "HTTP Fetch Metadata Request Headers" from PR #4696 or #3965. Or give the ability to add more browsers to check against "HTTP Fetch Metadata Request Headers". If it's the latter one: why? Only the browsers checked in https://github.com/searxng/searxng/pull/4696/files#diff-ab6d5589d48207e72a940dbaa37d671093e2e1e7bc9849faed4e3163ed72a1e7R41-R76, do support Sec-Fetch. Why giving the ability to configure more? If there are more later on, then we can add them in the code. |
The PR #3965 doesn't care UA header and blocks when Sec header is missed, while this PR looks at UA header and blocks only when UA header and Sec header do not fit together .. I want to implement an option, so admin can decide if he wants to care UA header or not. |
I'm sorry I do not want this option. Here is why: I do not want all the public instances of SearXNG to only work on these browsers:
Feel free to do that in your fork, on your instance, but I do not want such thing in the general SearXNG core. Even if this is going to not be a default option, public instances owners will enable it because they want the best protection, and they will not understand the damages this is going to do. My PR as it is a good balance to block based on one more factor (that remember, can always be found by reading the source code) and avoid blocking legitimate users. So please, test it on your instance, give me some feedback for the efficiency in blocking bots (not legitimate users, if that can be analyzed). |
There will be documentation that clearly describes what the disadvantages can be. |
|
I'm reiterating what I said, I'm not adding such feature. The built-in bot protection was created to reduce bots while fully knowing that anyone can bypass it by reading the source code, but I'm not turning it into a tool for restricting the access to a class of browsers family. There are a myriad of other factors to catch bots, this PR is not the only ultimate factor to block bots or reduce the effects from bots:
By the end of next week, I'm merging this PR as is, feel free to give me some feedback in case you test it. |
399a31f to
7373429
Compare
…earxng#4696)" Many bots will probably use other user agents than the common ones (or rotate different ones)[1]. On my instance I can observe how bots with other UA headers are no longer stopped with the patch of PR searxng#4696. This reverts PR searxng#4696 commit 19b116f. [1] searxng#4696 (review) Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
See my DRAFT: |
…earxng#4696)" Many bots will probably use other user agents than the common ones (or rotate different ones)[1]. On my instance I can observe how bots with other UA headers are no longer stopped with the patch of PR searxng#4696. This reverts PR searxng#4696 commit 19b116f. [1] searxng#4696 (review) Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
…earxng#4696)" Many bots will probably use other user agents than the common ones (or rotate different ones)[1]. On my instance I can observe how bots with other UA headers are no longer stopped with the patch of PR searxng#4696. This reverts PR searxng#4696 commit 19b116f. [1] searxng#4696 (review) Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
…earxng#4696)" Many bots will probably use other user agents than the common ones (or rotate different ones)[1]. On my instance I can observe how bots with other UA headers are no longer stopped with the patch of PR searxng#4696. This reverts PR searxng#4696 commit 19b116f. [1] searxng#4696 (review) Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
…earxng#4696)" Many bots will probably use other user agents than the common ones (or rotate different ones)[1]. On my instance I can observe how bots with other UA headers are no longer stopped with the patch of PR searxng#4696. This reverts PR searxng#4696 commit 19b116f. [1] searxng#4696 (review) Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
…earxng#4696)" Many bots will probably use other user agents than the common ones (or rotate different ones)[1]. On my instance I can observe how bots with other UA headers are no longer stopped with the patch of PR searxng#4696. This reverts PR searxng#4696 commit 19b116f. [1] searxng#4696 (review) Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
…earxng#4696)" Many bots will probably use other user agents than the common ones (or rotate different ones)[1]. On my instance I can observe how bots with other UA headers are no longer stopped with the patch of PR searxng#4696. This reverts PR searxng#4696 commit 19b116f. [1] searxng#4696 (review) Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
…earxng#4696)" Many bots will probably use other user agents than the common ones (or rotate different ones)[1]. On my instance I can observe how bots with other UA headers are no longer stopped with the patch of PR searxng#4696. This reverts PR searxng#4696 commit 19b116f. [1] searxng#4696 (review) Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
…earxng#4696)" Many bots will probably use other user agents than the common ones (or rotate different ones)[1]. On my instance I can observe how bots with other UA headers are no longer stopped with the patch of PR searxng#4696. This reverts PR searxng#4696 commit 19b116f. [1] searxng#4696 (review) Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
…earxng#4696)" Many bots will probably use other user agents than the common ones (or rotate different ones)[1]. On my instance I can observe how bots with other UA headers are no longer stopped with the patch of PR searxng#4696. This reverts PR searxng#4696 commit 19b116f. [1] searxng#4696 (review) Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
…earxng#4696)" Many bots will probably use other user agents than the common ones (or rotate different ones)[1]. On my instance I can observe how bots with other UA headers are no longer stopped with the patch of PR searxng#4696. This reverts PR searxng#4696 commit 19b116f. [1] searxng#4696 (review) Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
…earxng#4696)" Many bots will probably use other user agents than the common ones (or rotate different ones)[1]. On my instance I can observe how bots with other UA headers are no longer stopped with the patch of PR searxng#4696. This reverts PR searxng#4696 commit 19b116f. [1] searxng#4696 (review) Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
…earxng#4696)" Many bots will probably use other user agents than the common ones (or rotate different ones)[1]. On my instance I can observe how bots with other UA headers are no longer stopped with the patch of PR searxng#4696. This reverts PR searxng#4696 commit 19b116f. [1] searxng#4696 (review) Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
…earxng#4696)" Many bots will probably use other user agents than the common ones (or rotate different ones)[1]. On my instance I can observe how bots with other UA headers are no longer stopped with the patch of PR searxng#4696. This reverts PR searxng#4696 commit 19b116f. [1] searxng#4696 (review) Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
…earxng#4696)" Many bots will probably use other user agents than the common ones (or rotate different ones)[1]. On my instance I can observe how bots with other UA headers are no longer stopped with the patch of PR searxng#4696. This reverts PR searxng#4696 commit 19b116f. [1] searxng#4696 (review) Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
…earxng#4696)" Many bots will probably use other user agents than the common ones (or rotate different ones)[1]. On my instance I can observe how bots with other UA headers are no longer stopped with the patch of PR searxng#4696. This reverts PR searxng#4696 commit 19b116f. [1] searxng#4696 (review) Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
Related to #3965.
Check that the browsers checked do support the feature Sec-Fetch before blocking them based on this factor.
Avoiding blocking legitimate users using ancient browsers that do not support these headers.
Reasoning explained: #3965 (comment)