CURRENT | Echoes

Identity Cascade

The User-Agent String Taught Everyone to Lie

By Nora Kaplan— May 7, 2026

Feature image for article: The User-Agent String Taught Everyone to Lie

Your browser introduces itself to every server it contacts. The introduction contains six identity claims. One is accurate. The rest are fossils from thirty years of compatibility theater, each deposited when a new browser decided that honesty mattered less than getting the good content. When AI crawlers now send identical Chrome user-agent strings to pass as human visitors, they're following the string's own logic to completion. The web's access-control infrastructure still depends on this self-reported name tag. It was a courtesy, from an era when courtesy was enough.

Identity Cascade

The User-Agent String Taught Everyone to Lie

By Nora Kaplan— May 7, 2026

Your browser introduces itself to every server it contacts. The introduction contains six identity claims. One is accurate. The rest are fossils from thirty years of compatibility theater, each deposited when a new browser decided that honesty mattered less than getting the good content. When AI crawlers now send identical Chrome user-agent strings to pass as human visitors, they're following the string's own logic to completion. The web's access-control infrastructure still depends on this self-reported name tag. It was a courtesy, from an era when courtesy was enough.

Security Consequence

How a Memory Hack From 1994 Built the Walls Web Agents Hit Today

HTTP was stateless. Cookies faked statefulness, and the fake immediately leaked: any page could piggyback on another site's authenticated session. So Netscape Navigator 2 introduced the origin. Scheme, host, port. The W3C's 2011 security model acknowledged the concept was "born" from this need, not designed as a security primitive. RFC 6454 describes what followed as convergence, not architecture.

The origin locked things down. Too well. Legitimate cross-domain calls broke, so CORS spent a decade carefully re-permitting what SOP had blocked. One identity fiction required a security fiction to contain it. Web agents now navigate both fictions daily, hitting walls built for a threat model that never imagined them.

Security Consequence

How a Memory Hack From 1994 Built the Walls Web Agents Hit Today

HTTP was stateless. Cookies faked statefulness, and the fake immediately leaked: any page could piggyback on another site's authenticated session. So Netscape Navigator 2 introduced the origin. Scheme, host, port. The W3C's 2011 security model acknowledged the concept was "born" from this need, not designed as a security primitive. RFC 6454 describes what followed as convergence, not architecture.

The origin locked things down. Too well. Legitimate cross-domain calls broke, so CORS spent a decade carefully re-permitting what SOP had blocked. One identity fiction required a security fiction to contain it. Web agents now navigate both fictions daily, hitting walls built for a threat model that never imagined them.

Emergent boundary:

RFC 6454 describes same-origin policy as convergent behavior across technologies, not a single deliberate security design

Decade-long patch:

CORS went from 2004 proposal to 2014 W3C Recommendation, now maintained under the WHATWG Fetch Living Standard

Opaque by design:

CORS blocks are indistinguishable from network errors in JavaScript, making agent-side diagnosis effectively impossible

Preflight overhead:

Complex cross-origin requests require OPTIONS calls before the actual request, doubling traffic for agents operating at scale

Born, not architected:

The W3C's own framing acknowledges the origin concept emerged to anchor cookies, not to serve as a foundational security primitive

The Developer's Choice

A Conversation With the Developer Who Taught the Web to Lie

The Developer's Choice

A Conversation With the Developer Who Taught the Web to Lie

Fictions of State

A Shopping Cart's Long Shadow

In 1994, a 22-year-old engineer bolted memory onto a stateless protocol so shopping carts would work. Thirty years later, a trillion-dollar company spent six years trying to remove that fix and couldn't. The economic and political dependencies layered on a small text file had become load-bearing in ways no single actor could unwind. The first chapter of web identity's accidental infrastructure.

Fictions of State

Rendering as Identity

When browsers started blocking cookies, the ad industry found another identifier hiding in plain sight: the subtle differences in how your specific hardware renders a line of text. Browser vendors engineered defenses. The largest advertising platform quietly legitimized the practice those defenses targeted. Fiction layered on fiction, each one less visible than the last. The second chapter—and this one leaves nothing on your device to delete.

Fictions of State

A Shopping Cart's Long Shadow

In 1994, a 22-year-old engineer bolted memory onto a stateless protocol so shopping carts would work. Thirty years later, a trillion-dollar company spent six years trying to remove that fix and couldn't. The economic and political dependencies layered on a small text file had become load-bearing in ways no single actor could unwind. The first chapter of web identity's accidental infrastructure.

Fictions of State

Rendering as Identity

When browsers started blocking cookies, the ad industry found another identifier hiding in plain sight: the subtle differences in how your specific hardware renders a line of text. Browser vendors engineered defenses. The largest advertising platform quietly legitimized the practice those defenses targeted. Fiction layered on fiction, each one less visible than the last. The second chapter—and this one leaves nothing on your device to delete.

Fictions of State

A Shopping Cart's Long Shadow

In 1994, a 22-year-old engineer bolted memory onto a stateless protocol so shopping carts would work. Thirty years later, a trillion-dollar company spent six years trying to remove that fix and couldn't. The economic and political dependencies layered on a small text file had become load-bearing in ways no single actor could unwind. The first chapter of web identity's accidental infrastructure.

Fictions of State

Rendering as Identity

When browsers started blocking cookies, the ad industry found another identifier hiding in plain sight: the subtle differences in how your specific hardware renders a line of text. Browser vendors engineered defenses. The largest advertising platform quietly legitimized the practice those defenses targeted. Fiction layered on fiction, each one less visible than the last. The second chapter—and this one leaves nothing on your device to delete.