W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

Re: [XHR] Open issue: allow setting User-Agent?

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 17 Oct 2012 12:02:51 -0400
Message-ID: <507ED6AB.9090604@mit.edu>
To: Jungkee Song <jungkee.song@samsung.com>
CC: "'Hallvord Reiar Michaelsen Steen'" <hallvord@opera.com>, "'Mark Baker'" <mark@zepheira.com>, public-webapps@w3.org, "'Julian Aubourg'" <j@ubourg.net>
On 10/17/12 3:36 AM, Jungkee Song wrote:
> But my concern was even if browser acts as such, intermediary caches would still return forged content in its cache rather than trying to make a fresh request to origin server. That is, authors would expect that they are free from cache poisoning threat based off of the spec, but it might not be true when caching proxy is involved. Unless server itself actually puts "Vary: User-Agent" in the response, we cannot entirely avoid the cache poisoning scenario.

That's true.  And while such a caching proxy would, once again, be 
broken on real-world content, that doesn't help the security situation.

Does sanitizing the UA value to exclude certain chars (most 
particularly, '<' and company) help enough here?

-Boris
Received on Wednesday, 17 October 2012 16:03:25 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:55 GMT