W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

Re: [XHR] Open issue: allow setting User-Agent?

From: Mark Baker <mark@zepheira.com>
Date: Tue, 16 Oct 2012 13:04:52 -0400
Message-ID: <CALcoZiofq8YQ0C-pn7jCYYkL8rf5GU9H_AvJ3ixk1yth9qoXSw@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: Hallvord Reiar Michaelsen Steen <hallvord@opera.com>, Jungkee Song <jungkee.song@samsung.com>, Julian Aubourg <j@ubourg.net>, public-webapps@w3.org 
On Tue, Oct 16, 2012 at 11:21 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> Again, "Vary: User-Agent" is the answer here, from the browser's point of
> view.

Agreed.

> I agree that this would be good to discuss in a security implications
> section.  The spec could even require that responses to XHR with custom UA
> simply not be cached, if we want to play it safe.

That would be an improvement, but wouldn't solve the problem of
intermediary cache poisoning.

Julian Aubourg wrote;
> Couldn't we simply state in the spec that browsers must add the User-Agent header to the Vary list, all the time?

Vary is a response header, set by the server.

Mark.
Received on Tuesday, 16 October 2012 17:05:23 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:55 GMT