Re: Require UAs and intermediary caches to assume Vary: User-Agent

On Wed, 17 Oct 2012 09:32:14 +0200, Mark Nottingham <> wrote:

> Um, no.
> Not only will this retroactively make all intermediary caches  
> non-conformant, it'll also make them completely useless, because of the  
> large (and unnecessary) amount of variance in User-Agent headers.

OK, I can see now that it would make them useless.

> I understand there are security issues here caused by CORS,

The security issue under discussion in the referenced thread would  
materialize if browsers start allowing changing the User-Agent header in  
XHR without sanitizing it. However, that's not the reason I sent the  
email. The reason is that bz argued that intermediary caches are broken,  
which they are for pages on the Web that vary but don't say they vary,  
however that's not actually limited to the User-Agent header and is not a  
valid reason to require intermediary caches be useless instead of broken.

Also see
Simon Pieters
Opera Software

Received on Wednesday, 17 October 2012 09:01:19 UTC