[6.0] Pass default User-Agent header for for http requests

[joomdonation]

Pull Request for Issue #46295.

Summary of Changes

After migrating to the Framework HTTP package, some Joomla HTTP requests are sent without a User-Agent header, which can cause servers or firewalls to block them (e.g., during extension updates). This PR resolves the issue by ensuring Joomla’s default User-Agent is applied to these requests.

Testing Instructions

This PR makes change to different part of our code base, it will require carefully code review and approve from at least one maintainer

There are some important areas which needs to be tested:

• Use Joomla 6 (6.0.2 or nightly build)

• Apply patch from this PR

• Test update Joomla: Change You Joomla update to use this custom update server: https://artifacts.joomla.org/drone/joomla/joomla-cms/6.0-dev/46553/downloads/90762/pr_list.xml , then run the update and make sure it is updated properly

• Test extension update: Install an old version of the extension, for example Akeeba backup 10.0.4 https://www.akeeba.com/download/akeeba-backup/10-0-4.html , then try to update to latest version of the extension uses Joomla updater and make sure it is still working

• Test change to Languages model: Access to System - Manage - Languages, click on Install Languages button, make sure there is no error on the next page which display list of languages.

Would be great if you can also test the behavior of the following plugins, but not required

• Test GET Request scheduled task type (I personal tested it)
• Test System - Joomla! Statistics plugin (I also tested it)
• Test Multi-factor Authentication - YubiKey plugin. This one I never used or understand how it works, so I could not test it.

Actual result BEFORE applying this Pull Request

Some http requests sent from Joomla without User-Agent header

Expected result AFTER applying this Pull Request

All http requests sent from Joomla contains User-Agent header

Link to documentations

Please select:

• Documentation link for docs.joomla.org:

• No documentation changes for docs.joomla.org needed

• Pull Request link for manual.joomla.org:

• No documentation changes for manual.joomla.org needed

[joomdonation]

@SniperSister There are some changes to TUF related code which I do not understand the internal yet. I'm unsure if test update Joomla use Custom update server cover it or not. Could you please help reviewing to make sure it is OK, thanks.

[AlterBrains]

@joomdonation
Too much code duplication, it's better to keep using framework HTTP class but keep \Joomla\CMS\Http\HttpFactory which will auto-inject header by default (like in current 6.0.1)? CMS factory should be just rewritten a bit.
It's normal to use framework package but have CMS-specific factory which will resolve HTTP class with CMS-specific options.

[joomdonation]

@AlterBrains Thanks for your feedback and Yes, I agree with you that there is too much code duplication and that should be improved. However :

• If we modify code of CMS http factory to return framework http object, I haven't checked but I expect there would be difference between http from framework with the one from CMS, so we will have the risk with b/c break
• To be safe, I proposed to introduce a new method getHttpClient which return http object from framework, with default userAgent auto-injected. That would work. But @HLeithner suggested that we explode the idea of pushing http factor to container and then inject it automatically to model/controller when it is needed. That would take more time to implement, review and testing, so not suitable for a bug fix release

So think about this PR as a bugs fix to avoid these http requests being blocked by WAF as described in original issue due to missing user-agent. And then we will have to more to implement a proper solution in 6.1

[SniperSister]

There are some changes to TUF related code which I do not understand the internal yet. I'm unsure if test update Joomla use Custom update server cover it or not. Could you please help reviewing to make sure it is OK, thanks.

LGTM

[cyrez]

So think about this PR as a bugs fix to avoid these http requests being blocked by WAF as described in original issue due to missing user-agent. And then we will have to more to implement a proper solution in 6.1

Maybe a simple fix is just to reset back a default userAgent in the framework HttpFactory as it is done in CMS http package (used in updater before 6.0).

I did a PR on framework for that: joomla-framework/http#71

The changes were introduced by this PR: #45751

[joomdonation]

I did a PR on framework for that: joomla-framework/http#71

@cyrez The framework is independent with the CMS, we do not have CMS version available, so your PR would not work.

[cyrez]

I did a PR on framework for that: joomla-framework/http#71

@cyrez The framework is independent with the CMS, we do not have CMS version available, so your PR would not work.

Oh yes, you're right!

Updated it, tested and it works now (at least with the firewall on my hosting).

[joomdonation]

Updated it, tested and it works now (at least with the firewall on my hosting).

Did you mean you tested this PR? If Yes, could you please report your test result? The issue addressed in this PR should be fixed

[kkbiswal]

I have tested this item ✅ successfully on dfd421d

Tested succesfully for this dfd421d as per the testing instruction .

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46553.}

[cyrez]

Updated it, tested and it works now (at least with the firewall on my hosting).

Did you mean you tested this PR? If Yes, could you please report your test result? The issue addressed in this PR should be fixed

No, i meant the PR i did in the framework.

[cyrez]

Updated it, tested and it works now (at least with the firewall on my hosting).

Did you mean you tested this PR? If Yes, could you please report your test result? The issue addressed in this PR should be fixed

I will test it tomorrow, during PBF.
Could you maybe review the test instructions?
As it could be Joomla 6.0.2.
Too, is the URL https://artifacts.joomla.org/drone/joomla/joomla-cms/6.0-dev/46553/downloads/89844/pr_list.xml still valid?

About your test instructions, i supposed it fails before patch, and works after patch?

This could help to get more testers from PBF ;-)

On my side, i will do test with my own extension and own hosting server, enabling their firewall (which makes update fail) to test if it works with your patch. But by reviewing your code changes, it seems to be ok.

Thanks!

[joomdonation]

Thanks @cyrez . I updated testing instructions. The PR was from sometime ago, so the old download is not available anymore. I updated the testing instructions to use new URL https://artifacts.joomla.org/drone/joomla/joomla-cms/6.0-dev/46553/downloads/90762/pr_list.xml .

[cyrez]

I have tested this item ✅ successfully on 72a83b8

• Test update Joomla OK.
• Test with my third-party extensions update from a update server xml on a hosting server with firewall enabled (OVH) OK (without this patch, error 403 on update. Patch applied, update runs normally).
• Test change to Languages model: all is good. Can retrieve list of languages and install new translation packs.

Thank you @joomdonation

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46553.}

[exlemor]

I have tested this item ✅ successfully on 72a83b8

Hi @joomdonation - I was able to test this successfully!

Joomla update = 👍
Installed 2 different 3rd party extensions update = 👍
Installed additional German Languages model = 👍
I don't have a YubiKey so couldn't test that but tried PassKey Multifactor (unsure if that helped) = 👍

:)

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46553.}

[dautrich]

I tried to test the PR. Here is what I did:

• Tested locally using Laragon
• Started from a 6.0.2 with Patchtester 5.0.1
• Applied the patch from this PR
• Successfully updated using the Custom URL given
• Randomly tested some functionality in backend
• Displayed frontend
• Installed Akeeba Backup 10.0.3
• Checked for updates and successfully updated to Akeeba Backup 10.2.2
• Configured Akeeba Backup output directory and did a backup
• Tested the GET Request scheduled task (Target: www.neudorf-mkk.de, intervall 1 min)
• Tested the Joomla Statistics plugin
• Did not test MFA via Yubikey (I don't have one)
• Successfully tested MFA via Passkey (Windows 11)
• Installed German language, set it as default, and as content language

But checking the access log, I couldn't find any user agents. Here is the access log:
accesslog_46553.zip

Is this related to my basic setup (Laragon on localhost, Windows 11)? Or did I miss something? Do I have to set a backend option?

[joomdonation]

@dautrich Thanks for testing. In this case, these requests are sent to external servers, not the server where you site is hosted. So the user agent will be shown in access logs of these external servers (like Joomla server will you update Joomla, Akeeba server when you update Akeeba Backup....).

With your tests, all your operations are completed without any issues, so I will still count this as a success test.

[joomdonation]

RTC

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46553.}

[dautrich]

I have tested this item ✅ successfully on 72a83b8

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46553.}

[dautrich]

@joomdonation

@dautrich Thanks for testing. In this case, these requests are sent to external servers, not the server where you site is hosted. So the user agent will be shown in access logs of these external servers (like Joomla server will you update Joomla, Akeeba server when you update Akeeba Backup....).

With your tests, all your operations are completed without any issues, so I will still count this as a success test.

You're perfectly right! The Get Request Task I used for testing went to one of my sites. I was able to find several of the resulting entries in my server's log:

185.17.205.0 - - [31/Jan/2026:18:22:35 +0100] "GET / HTTP/2.0" 200 68619 "-" "Mozilla/5.0 Joomla!/6.0.3-dev+pr.46553 Joomla"

[Bodge-IT]

Thank you @joomdonation and to all those who gave time to test.

[joomdonation]

Thanks to all for your support !