W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

Re: [XHR] Open issue: allow setting User-Agent?

From: Mark Baker <mark@zepheira.com>
Date: Tue, 16 Oct 2012 13:04:52 -0400
Message-ID: <CALcoZiofq8YQ0C-pn7jCYYkL8rf5GU9H_AvJ3ixk1yth9qoXSw@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: Hallvord Reiar Michaelsen Steen <hallvord@opera.com>, Jungkee Song <jungkee.song@samsung.com>, Julian Aubourg <j@ubourg.net>, public-webapps@w3.org
On Tue, Oct 16, 2012 at 11:21 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> Again, "Vary: User-Agent" is the answer here, from the browser's point of
> view.


> I agree that this would be good to discuss in a security implications
> section.  The spec could even require that responses to XHR with custom UA
> simply not be cached, if we want to play it safe.

That would be an improvement, but wouldn't solve the problem of
intermediary cache poisoning.

Julian Aubourg wrote;
> Couldn't we simply state in the spec that browsers must add the User-Agent header to the Vary list, all the time?

Vary is a response header, set by the server.

Received on Tuesday, 16 October 2012 17:05:23 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:49 UTC