W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

Re: [XHR] Open issue: allow setting User-Agent?

From: Hallvord R. M. Steen <hallvord@opera.com>
Date: Tue, 09 Oct 2012 15:29:11 +0200
To: "Anne van Kesteren" <annevk@annevk.nl>
Cc: "Julian Aubourg" <j@ubourg.net>, "Jungkee Song" <jungkee.song@samsung.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <op.wlwyexkqa3v5gv@hr-desk>
Anne van Kesteren <annevk@annevk.nl> skreiv Tue, 09 Oct 2012 15:13:00 +0200

> it was once stated that allowing full control would be a security risk.

I don't think this argument has really been substantiated for the  
User-Agent header. I don't really see what security problems setting  
User-Agent can cause.

(To be honest, I think the list of disallowed headers in the current spec  
was something we copied from Macromedia's policy for Flash without much  
debate for each item).

> (If you mean this would help you from browser.js or similar such
> scripts I would lobby for making exceptions there, rather than for the
> whole web.)

Well, browser.js and user scripts *is* one use case but I fully agree that  
those are special cases that should not guide spec development.

However, if you consider the CORS angle you'll see that scripts out there  
are already being written to interact with another site's backend, and  
such scripts may face the same challenges as a user script or extension  
using XHR including backend sniffing. That's why experience from user.js  
development is now relevant for general web tech, and why I'm making this  
argument.

-- 
Hallvord R. M. Steen
Core tester, Opera Software
Received on Tuesday, 9 October 2012 13:30:30 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:55 GMT