W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

Re: [XHR] Open issue: allow setting User-Agent?

From: Jarred Nicholls <jarred@webkit.org>
Date: Tue, 9 Oct 2012 10:05:58 -0400
Message-ID: <CANufG2Md9cFTMvZNJCSsM_Z2MtWNNX7UPGiQq6wak5JN=rPRpw@mail.gmail.com>
To: "Hallvord R. M. Steen" <hallvord@opera.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Julian Aubourg <j@ubourg.net>, Jungkee Song <jungkee.song@samsung.com>, "public-webapps@w3.org" <public-webapps@w3.org>
On Tue, Oct 9, 2012 at 9:29 AM, Hallvord R. M. Steen <hallvord@opera.com>wrote:

> Anne van Kesteren <annevk@annevk.nl> skreiv Tue, 09 Oct 2012 15:13:00
> +0200
>  it was once stated that allowing full control would be a security risk.
> I don't think this argument has really been substantiated for the
> User-Agent header. I don't really see what security problems setting
> User-Agent can cause.
> (To be honest, I think the list of disallowed headers in the current spec
> was something we copied from Macromedia's policy for Flash without much
> debate for each item).
>  (If you mean this would help you from browser.js or similar such
>> scripts I would lobby for making exceptions there, rather than for the
>> whole web.)
> Well, browser.js and user scripts *is* one use case but I fully agree that
> those are special cases that should not guide spec development.
> However, if you consider the CORS angle you'll see that scripts out there
> are already being written to interact with another site's backend, and such
> scripts may face the same challenges as a user script or extension using
> XHR including backend sniffing. That's why experience from user.js
> development is now relevant for general web tech, and why I'm making this
> argument.
> --
> Hallvord R. M. Steen
> Core tester, Opera Software

I agree with Hallvord, I cannot think of any additional *real* security
risk involved with setting the User-Agent header.  Particularly in a CORS
situation, the server-side will (should) already be authenticating the
origin and request headers accordingly.  If there truly is a compelling
case for a server to only serve to Browser XYZ that is within scope of the
open web platform, I'd really like to hear that.

Received on Tuesday, 9 October 2012 14:06:55 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:49 UTC