W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

Re: [XHR] Open issue: allow setting User-Agent?

From: Mike Taylor <miket@opera.com>
Date: Wed, 17 Oct 2012 15:29:43 -0500
Message-ID: <507F1537.4050308@opera.com>
To: public-webapps@w3.org
On 10/13/12 4:08 AM, Hallvord R. M. Steen wrote:
> I came across an article [1] that describes some of the reasoning for 
> Flash's change in security policy when it banned setting User-Agent. 
> Apparently, some sites echo the User-Agent value back in markup in 
> certain contexts (maybe a "browser requirements" page for example). 
> Being able to set User-Agent from web content thus might cause XSS 
> issues for such pages. These backends never had any reason to filter 
> the User-Agent string before, so they probably don't. 

For fun I set my UA string [1] to the following, just to see what, if 
anything, would break:

"Opera/9.80 (Macintosh; Intel Mac OS X 10.8.2; U; en) Presto/2.10.289 
Version/12.02 <script>alert('o hai')</script>"

The obvious targets were sites that echo UA strings:

http://whatsmyuseragent.com/ alerts (and for some reason the styles of 
the page are broken)
http://whatsmyua.com/ gives a missing rails template page
http://logme.mobi/ alerts twice (one for navigator.userAgent, another 
for User-Agent:)
http://www.whatismyip.com/tools/user-agent-info.asp alerts
http://youruseragent.info/what-is-my-user-agent is sanitized
http://my-addr.com/ua is sanitized

[1] via opera:config#UserPrefs|CustomUser-Agent

-- 
Mike Taylor
Opera Software
Received on Wednesday, 17 October 2012 20:30:24 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:55 GMT