W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2012

Re: Require UAs and intermediary caches to assume Vary: User-Agent

From: Simon Pieters <simonp@opera.com>
Date: Wed, 17 Oct 2012 11:00:42 +0200
To: "Mark Nottingham" <mnot@mnot.net>
Cc: ietf-http-wg@w3.org
Message-ID: <op.wmbfbgltidj3kv@simons-macbook-pro.local>
On Wed, 17 Oct 2012 09:32:14 +0200, Mark Nottingham <mnot@mnot.net> wrote:

> Um, no.
>
> Not only will this retroactively make all intermediary caches  
> non-conformant, it'll also make them completely useless, because of the  
> large (and unnecessary) amount of variance in User-Agent headers.

OK, I can see now that it would make them useless.

> I understand there are security issues here caused by CORS,

The security issue under discussion in the referenced thread would  
materialize if browsers start allowing changing the User-Agent header in  
XHR without sanitizing it. However, that's not the reason I sent the  
email. The reason is that bz argued that intermediary caches are broken,  
which they are for pages on the Web that vary but don't say they vary,  
however that's not actually limited to the User-Agent header and is not a  
valid reason to require intermediary caches be useless instead of broken.

Also see  
http://lists.w3.org/Archives/Public/public-webapps/2012OctDec/0216.html
-- 
Simon Pieters
Opera Software
Received on Wednesday, 17 October 2012 09:01:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 17 October 2012 09:01:21 GMT