W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

Re: remove/deprecate User-Agent header?

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 19 Aug 2010 22:47:07 +0200
To: Paul Wise <pabs3@bonedaddy.net>
Cc: ietf-http-wg <ietf-http-wg@w3.org>
Message-ID: <20100819204707.GE25591@1wt.eu>
On Thu, Aug 19, 2010 at 12:57:53PM +0000, Paul Wise wrote:
> On Thu, 2010-08-19 at 14:38 +0200, Julian Reschke wrote:
> > That doesn't mean there aren't good ones.
> 
> Do you have any examples? I'm unable to think of any.

There are people in the finance domain who use it to track automated
fraud attempts that are often performed by malware running inside the
browser and acting without the users' consent. Without giving details,
basically keep in mind that it's a browser signature that has no reason
to change within an application session.

Also, what causes the most UA-related breakage you often see on the web
in my opinion are the checks that are performed within the browser itself
using JS and that are never updated to consider fixed browsers. And you
won't fix that by removing the UA header.

> > Independently of that, what *effect* do you think making it "illegal" has?
> 
> Hopefully to stop user-agents from sending the header at all, servers
> from providing access to it in their logs or environment variables and
> web applications and sites from using it in hacks to discriminate
> against users of browsers from the wrong vendor.

That will not change anything. If you suggest to remove something which
has some uses, people will continue to use it as before. Just see how
cookies are used despite the two RFCs that tried to restrict them.

> If you mean at the protocol level, I would suggest servers return 400
> Bad Request when a client sends User-Agent.

What will happen then is that noone will enable this option because
admins want to get visits and not to kick valid visitors off of their
site.

Regards,
Willy
Received on Thursday, 19 August 2010 20:47:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:24 GMT