Blacklist

Blacklist

Due to some limitations with the feature detection mechanisms used to determine if the Web-client has sufficient features in order to load and execute at an end user's device, a blacklist function has been developed to handle User Agents with known issues that prevent the Web-client from loading properly. 

The User Agent string provided by the merchant in the initSession() request to BankID COI is subject to a check towards a number of regular expressions put in the BankID blacklist. If there is a match, the initSession() response will contain an error message preventing the Web-client from loading. 

There might still be combinations that have User Agent strings that are not blacklisted and where feature detection does not fail, but still the client does not load properly. There have been identified issues with some Safari versions older than 7, see Known issues for more information.

Blacklist content (in preproduction and production environments)

Regexp Effect Reason
" OS [2-6]_[^\s]* like Mac OS X " Prevents any iOS versions lower than iOS 7

The window.crypto.getRandomValue() does not return expected results on iOS 5.x and older.

iOS 6.x yields the error BID-2031 due to CSP error and XDM ORIGIN ERROR. 

" Chrome/([0-9]|1[0-9]|2[0-4]) "
    Chrome version 24 and lower on desktop and mobile 

Chrome version 24 and lower use X-WebKit-CSP and this header has shown to behave differently over SSL. It appears that default SSL port is not implemented correctly in X-WebKit-CSP.

(?!.*(CriOS|OPiOS|Mercury|UCBrowser))(OS 7_0.* like Mac OS X.* Safari)
    Prevents usage of Safari versions iOS 7.0.x
The combination iOS 7.0.x and Safari has proven not to load the Web-client correctly. The workaround is to upgrade iOS if possible, or use another browser, e.g. Chrome. 
" Firefox/([0-9]|1[0-9]|2[0-8])\. "
    Firefox version 28 and lower on desktop and mobile.

FF versions <= 22 do not work due to FF blocking any use of inline-eval despite being included in the CSP-directive set by BankID Norge.

22 < FF < 29 do not work due to an error in FF when parsing the merchantURL which is included in the connect-src directive from BankID Norge. The consequence is that the initAuth from the client is not closed and the client subsequently reports error BID-2031.

Mac OS X.* Version/(5.*|6.*) Safari
    Safari 5 and 6 on OS X

Safari 5 and 6 were put on the blacklist due to lack of support for standard CSP headers. 

 

NB: As of release 2.0.4, the feature detection script (bid-browser-test.js) includes a blacklist check. Thus, merchants may use this script to see whether the end user's browser is able to load the Web-client before attempting to load the client itself. The script is documented in the release packages. 

Change log - blacklist content

Date Regexp Action Reason
13.10.2014 " AppleWebKit/([0-9]|[0-9][0-9]|[0-5][0-3][0-5] "

Removed

Regexp (wrongly) blocked several versions of the default Android browser
30.10.2014 " Firefox/([0-9]|1[0-9]|2[0-8])\. "

Added 

See reason in the table above. 
30.10.2014 " (?!.(CriOS|OPiOS|Mercury|UCBrowser)) OS 7_0_[^\s] like Mac OS X.* Safari "

Added

See reason in the table above. 
30.10.2014 " OS 6_.x like Mac OS X"

Removed

Replaced by regexp for iOS 2-6.

30.10.2014 " OS 5_.x like Mac OS X"

Removed

Replaced by regexp for iOS 2-6.

30.10.2014 " OS [2-6]_[^\s]* like Mac OS X " Added See reason in the table above. 
10.12.2014 " (?=.Mac OS X)(?=.[5-6].([0-9]|[0-9].[0-9]) Safari) " Added See reason in the table above.
10.03.2015 " (?!.(CriOS|OPiOS|Mercury|UCBrowser)) OS 7_0_[^\s] like Mac OS X.* Safari " Removed Replaced by entry below. 
10.03.2015 (?!.*(CriOS|OPiOS|Mercury|UCBrowser))(OS 7_0.* like Mac OS X.* Safari) Added See reason in the table above.
10.03.2015 " (?=.Mac OS X)(?=.[5-6].([0-9]|[0-9].[0-9]) Safari) " Removed Replaced by entry below.
10.03.2015 Mac OS X.* Version/(5.*|6.*) Safari Added See reason in the table above. 

 

(Page last updated: 04.06.2015)