- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 15 Oct 2012 08:50:19 -0400
- To: Jungkee Song <jungkee.song@samsung.com>
- CC: public-webapps@w3.org, "'Hallvord Reiar Michaelsen Steen'" <hallvord@opera.com>, "'Julian Aubourg'" <j@ubourg.net>
On 10/15/12 7:18 AM, Jungkee Song wrote: > but if certain backend intends to provide its content under some browser requirements, isn't "Vary: User-Agent" sort of a required header to have related caching proxy, if any, work correctly? Yes, it is, but it's rare for websites to think about that sort of thing in my experience. In particular, I have yet to encounter a site that both does server-side UA sniffing _and_ sends Vary: User-Agent. > Otherwise, subsequent requests on the same resource with different User-Agent string would be regarded as a cache HIT in caching proxy anyway. Indeed. > Anyway, the point here is that if changing of User-Agent is allowed in script, it will be possible for malicious third party to set arbitrary User-Agent strings in generating XSS attacks. While true, a third party can already do this with things like botnets, no? I'm not sure I see the additional threats here. Can you explain? -Boris
Received on Monday, 15 October 2012 12:51:01 UTC