W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

[XHR] Open issue: allow setting User-Agent?

From: Hallvord R. M. Steen <hallvord@opera.com>
Date: Tue, 09 Oct 2012 14:11:00 +0200
To: "Julian Aubourg" <j@ubourg.net>, "Jungkee Song" <jungkee.song@samsung.com>
Cc: "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <op.wlwusmc2a3v5gv@hr-desk>
Should XHR allow scripts to set User-Agent?

Cons:
* The spec suggests the limitation helps ensure some "data integrity"
* Slight back-compat risks if we encounter scripts that attempt to set  
User-Agent on sites with backends that expect nomal browser UA strings.  
This may sound far-fetched but some sites do "fingerprint" the browser by  
the value of various headers and use this "fingerprint" as a security  
measure.

Pros:
* We should try to avoid imposing limitations on scripts, except when  
careful reasoning suggests we need those limitations
* User-Agent is not a very useful header in the first place, backends  
should not rely on it
* Allowing it can help scripts work around broken backends that DO abuse  
User-Agent - particularly useful with CORS, where one might want to get  
data from a site that allows cross-origin usage but has backend browser  
sniffing/blocking
* Conceptually, a JavaScript making HTTP requests can also claim to be  
acting on behalf of the user, being the user's "Agent".

Personally I'm strongly in favour of removing User-Agent from the list of  
prohibited headers. As an author I've experienced problems I could not  
solve due to this limitation.

-- 
Hallvord R. M. Steen
Core tester, Opera Software
Received on Tuesday, 9 October 2012 12:12:08 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:55 GMT