Modern-browser UA but the HTTP/2 stack matches no known browser engine

net.h2_unknown_vs_ua  ·  convicts

networklayer
coherencecategory
9evaders caught

What it catches

Chrome (m,a,s,p) and Firefox (m,p,a,s) send a POSITIVELY-identified h2 pseudo-header order; a Go/Python http2 client — or a browser fronted by a non-browser h2 proxy — under a Chrome/Firefox UA does not. The h2 analog of tls_no_grease, and a second network-layer tell beyond no_js_execution. Closes the gap where net.h2_vs_ua_browser stays silent on an *unrecognised* (not merely mismatched) h2 engine. v0.74.x FP FIX: emission (edge uaHasKnownH2Order) now EXCLUDES Safari UAs — real macOS/iOS Safari's on-wire order is unverified (the old m,s,p,a 'safari' seed was a guess; real Safari emits the generic m,s,a,p the table keeps 'unknown'), so 'unknown h2 under a Safari UA' is the edge's blind spot, not a contradiction, and convicting it false-positived EVERY real Safari. A Safari-UA-faking bot is still caught by its JA4 mismatch + the no-JS/Sec-Fetch/Accept-Encoding tells, so the carve-out loses no grounded coverage (mirrors the Firefox GREASE carve-out).

Signals it reads

network.h2_engine_unknown

How it fires

present

Evaders it caught 9

Bypassed by 10

Frontier evaders that reach the detector uncaught (scored only suspicious, defeating every convicting tell) — this check is not one that stops them. The red-team frontier this detection still has to convict.

← all detections