W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

Re: [XHR] Open issue: allow setting User-Agent?

From: Hallvord R. M. Steen <hallvord@opera.com>
Date: Thu, 11 Oct 2012 12:23:21 +0200
To: "'Julian Aubourg'" <j@ubourg.net>, annevankesteren@gmail.com, "Jungkee Song" <jungkee.song@samsung.com>
Cc: public-webapps@w3.org
Message-ID: <op.wl0e47ofa3v5gv@hr-desk>
Jungkee Song <jungkee.song@samsung.com> skreiv Thu, 11 Oct 2012 10:56:53  
+0200

> IMO browser spoofing either through the browser's main HTTP request or  
> XHR request is not the ultimate way to handle the browser sniffing  
> issues in practical service scenarios.

Well, it would be a lot nicer to write specs for an ideal "ultimate" world  
for sure ;-)

In *this* world, this limits what script authors can do in a way that will  
leave them unable to solve some problems.
However, that MAY still be a reasonable decision if there are good reasons  
to do so! I agree with you that this is a judgement call with both pros  
and cons.

In this specific case I don't understand the full reasoning behind the  
limitation. Some of the rationale sounds more like "we think somebody once  
may have said it would cause a security problem". And I would like us to  
have a stronger rationale and more evidence when we limit what authors are  
allowed to do.

Maybe other members of public-webapps could help me out by suggesting  
threat scenarios and use cases where this limitation seems relevant?

-- 
Hallvord R. M. Steen
Core tester, Opera Software
Received on Thursday, 11 October 2012 10:24:31 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:55 GMT