- From: Willy Tarreau <w@1wt.eu>
- Date: Thu, 19 Aug 2010 22:47:07 +0200
- To: Paul Wise <pabs3@bonedaddy.net>
- Cc: ietf-http-wg <ietf-http-wg@w3.org>
On Thu, Aug 19, 2010 at 12:57:53PM +0000, Paul Wise wrote: > On Thu, 2010-08-19 at 14:38 +0200, Julian Reschke wrote: > > That doesn't mean there aren't good ones. > > Do you have any examples? I'm unable to think of any. There are people in the finance domain who use it to track automated fraud attempts that are often performed by malware running inside the browser and acting without the users' consent. Without giving details, basically keep in mind that it's a browser signature that has no reason to change within an application session. Also, what causes the most UA-related breakage you often see on the web in my opinion are the checks that are performed within the browser itself using JS and that are never updated to consider fixed browsers. And you won't fix that by removing the UA header. > > Independently of that, what *effect* do you think making it "illegal" has? > > Hopefully to stop user-agents from sending the header at all, servers > from providing access to it in their logs or environment variables and > web applications and sites from using it in hacks to discriminate > against users of browsers from the wrong vendor. That will not change anything. If you suggest to remove something which has some uses, people will continue to use it as before. Just see how cookies are used despite the two RFCs that tried to restrict them. > If you mean at the protocol level, I would suggest servers return 400 > Bad Request when a client sends User-Agent. What will happen then is that noone will enable this option because admins want to get visits and not to kick valid visitors off of their site. Regards, Willy
Received on Thursday, 19 August 2010 20:47:41 UTC