W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

Re: [XHR] Open issue: allow setting User-Agent?

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 15 Oct 2012 08:50:19 -0400
Message-ID: <507C068B.9000309@mit.edu>
To: Jungkee Song <jungkee.song@samsung.com>
CC: public-webapps@w3.org, "'Hallvord Reiar Michaelsen Steen'" <hallvord@opera.com>, "'Julian Aubourg'" <j@ubourg.net>
On 10/15/12 7:18 AM, Jungkee Song wrote:
> but if certain backend intends to provide its content under some browser requirements, isn't "Vary: User-Agent" sort of a required header to have related caching proxy, if any, work correctly?

Yes, it is, but it's rare for websites to think about that sort of thing 
in my experience.

In particular, I have yet to encounter a site that both does server-side 
UA sniffing _and_ sends Vary: User-Agent.

> Otherwise, subsequent requests on the same resource with different User-Agent string would be regarded as a cache HIT in caching proxy anyway.

Indeed.

> Anyway, the point here is that if changing of User-Agent is allowed in script, it will be possible for malicious third party to set arbitrary User-Agent strings in generating XSS attacks.

While true, a third party can already do this with things like botnets, 
no?  I'm not sure I see the additional threats here.  Can you explain?

-Boris
Received on Monday, 15 October 2012 12:51:01 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:55 GMT