- From: Hallvord R. M. Steen <hallvord@opera.com>
- Date: Tue, 09 Oct 2012 14:11:00 +0200
- To: "Julian Aubourg" <j@ubourg.net>, "Jungkee Song" <jungkee.song@samsung.com>
- Cc: "public-webapps@w3.org" <public-webapps@w3.org>
Should XHR allow scripts to set User-Agent? Cons: * The spec suggests the limitation helps ensure some "data integrity" * Slight back-compat risks if we encounter scripts that attempt to set User-Agent on sites with backends that expect nomal browser UA strings. This may sound far-fetched but some sites do "fingerprint" the browser by the value of various headers and use this "fingerprint" as a security measure. Pros: * We should try to avoid imposing limitations on scripts, except when careful reasoning suggests we need those limitations * User-Agent is not a very useful header in the first place, backends should not rely on it * Allowing it can help scripts work around broken backends that DO abuse User-Agent - particularly useful with CORS, where one might want to get data from a site that allows cross-origin usage but has backend browser sniffing/blocking * Conceptually, a JavaScript making HTTP requests can also claim to be acting on behalf of the user, being the user's "Agent". Personally I'm strongly in favour of removing User-Agent from the list of prohibited headers. As an author I've experienced problems I could not solve due to this limitation. -- Hallvord R. M. Steen Core tester, Opera Software
Received on Tuesday, 9 October 2012 12:12:08 UTC