W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

Re: [XHR] Open issue: allow setting User-Agent?

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Sat, 13 Oct 2012 11:48:47 -0400
Message-ID: <50798D5F.2030102@mit.edu>
To: public-webapps@w3.org
On 10/13/12 5:08 AM, Hallvord R. M. Steen wrote:
> I came across an article [1] that describes some of the reasoning for
> Flash's change in security policy when it banned setting User-Agent.
> Apparently, some sites echo the User-Agent value back in markup in
> certain contexts (maybe a "browser requirements" page for example).

And naturally do not send "Vary: User-Agent"?

> However, another threat might be using an XHR request to put a
> generated page with injected content in the browser's cache, then
> opening the page directly in a new window. The page would likely be
> taken from cache

This seems simple enough to deal with on the browser side: Assume "Vary: 
User-Agent" on all requests.  Probably a good idea anyway.

-Boris
Received on Saturday, 13 October 2012 15:49:15 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:55 GMT