W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

Re: [XHR] Open issue: allow setting User-Agent?

From: Julian Aubourg <j@ubourg.net>
Date: Tue, 9 Oct 2012 15:32:42 +0200
Message-ID: <CANUEoes00GEs-zXYDsi67jgvssewPHGcpm2GD0h=W9JUkmJ3Lg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "Hallvord R. M. Steen" <hallvord@opera.com>, Jungkee Song <jungkee.song@samsung.com>, "public-webapps@w3.org" <public-webapps@w3.org>
I agree the use cases do not seem compelling. But I know I'm generally
surprised by what people can and will do. What problem did you encounter
that would have necessitated to change the User-Agent string, Hallvord? Is
it because of sites sniffing the wrong way? If so, I tend to agree with
Anne that this shouldn't be fixed in the XHR spec. Just think what a
malicious script could do to browser usage statistics (of course, no
browser vendor would ever try and rig the stats ;)). Also, there actually
are security concerns. While I trust open-source browsers (and mainstream
close-source ones) not to try and trick servers into malicious operations,
I can't say the same for the whole web, especially malicious ad scripts.

Le mardi 9 octobre 2012, Anne van Kesteren a écrit :

> On Tue, Oct 9, 2012 at 2:11 PM, Hallvord R. M. Steen <hallvord@opera.com<javascript:;>>
> wrote:
> > Personally I'm strongly in favour of removing User-Agent from the list of
> > prohibited headers. As an author I've experienced problems I could not
> solve
> > due to this limitation.
>
> The use cases do not seem very compelling to me and I believe it was
> once stated that allowing full control would be a security risk.
> Developers can always set their own header to identify their scripts.
>
> (If you mean this would help you from browser.js or similar such
> scripts I would lobby for making exceptions there, rather than for the
> whole web.)
>
>
> --
> http://annevankesteren.nl/
>
Received on Tuesday, 9 October 2012 13:33:11 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:55 GMT