fingerprintjs / botd-integrations Goto Github PK

End-user loads an example app.

This needs to be an actual CloudFlare or Fastly link

• server-side detection or edge detection

As this app is not a demo in itself, it becomes a demo of integration only once it's coupled with some kind of integration, e.g. CloudFlare.

We should use end-user and end-user's browser instead of ambiguous terms like 'client'.
We should only use requestID everywhere. (or request-id when describing cookie values)

Response from origin returns to client's browser with cookie botd-request-id.

I think this step needs expansion and further clarification, e.g. that the request ID is random and its value can be used to retrieve the bot detection results etc.

From the readme:

Checking the Emulate bot checkbox will replace User-Agent to Headless Chrome. It will force the bot branch of the flow.

Steps to reproduce

(Chrome + FF Win10)

1. Tick Emulate bot checkbox.
2. Check user agent in the request.

Exptected user agent: Headless Chrome
Actual user agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36

There are probably two issues

Setting user agent

We are trying to set user agent like

Object.defineProperty(navigator, 'userAgent', {
                get: function () {
                    return userAgent;
                },
                configurable: true,
            });

Which doesn't work (Win10 Chrome and FF).
According to MDN documentation:

The User-Agent header is no longer forbidden header. It can be changed programatically by Fetch Headers object, or via XHR setRequestHeader().

Source: https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name
I believe we should change this implementation and tweak the user agent directly in the request instead.

Chromium bug

Even if we change the user agent the way mentioned above, it won't work in Chromium browsers due to this bug. I believe we should add a note to readme as well as directly to the sample app's login screen - something like: 'This demo does not work correctly on Chromium-based browsers.'

Food for thought

Another way might be changing the user agent directly on CDN/integration provider or BE according to the bot: on form data but I believe this might be confusing for users and must be explained properly.

• botd-request-id cookie should be HttpOnly and Secure