Re: RFC: draft-brown-device-stock-ua-00.txt from Tiffany B. Brown on 2012-11-12 (ietf-http-wg@w3.org from October to December 2012)

From: Tiffany B. Brown <tiffanyb@opera.com>
Date: Mon, 12 Nov 2012 08:27:45 -0800
To: ietf-http-wg@w3.org
Message-ID: <50A12381.5010706@opera.com>

On 11/7/12 2:50 PM, Amos Jeffries wrote:

> ... and why must a new header be added with identical usage, syntax and
> handling as User-Agent be created to perform User-Agent operations?
> In section 4 the example does not match the BNF.
>
> Following the format:
>     Device-Stock-UA = "Device-Stock-UA" ":" (User-Agent)
>     User-Agent = <Defined in RFC2616 Section 14.43>
>
> We get:
>         Device-Stock-UA: User-Agent: CERN-LineMode/2.15 libwww/2.17b3
>
>
> Correcting that mistake the uselessness of creating this header becomes
> completely obvious:
>
> {{
>    Device-Stock-UA = "Device-Stock-UA" ":" 1*( product | comment )
>    User-Agent      = "User-Agent"      ":" 1*( product | comment )
> }}

It's the identical usage, syntax, and handling, but for two different 
products installed on the same device.  It's an optional header and  not 
without precedent; transcoders also use this model. Perhaps most 
importantly, it's compatible with existing device adaptation practices.

> You might as well define this as a listing of ALL software, Java class,
> active component, and hardware chip serial number installed on the
> device. Just in case some marketer or website wigit *might* want to
> know. Do you see the problem? If not have a look at IE6 UA string after
> a few hundred KB patches have been applied - utter mess useful only to
> help malicious attackers target specific missing patches.

Again: this header, if sent, would reveal marginally more than what the 
native HTTP client reveals. It would certainly reveal no more than what 
client-side feature detection reveals (the navigator.plugins object, for 
example). It's about the same risk that exists with any sort of user 
agent string change.

> The operating UA is already free to embed the device stock UA into its
> own UA string using the same format. If it is making use of that UA
> capabilities to generate the request that is reasonable.
>
> I for one see zero benefit from creating this header.
>
> Amos

-- 
Tiffany Brown, Developer Relations & Tools
Opera Software ASA (www.opera.com)
Twitter / AIM: webinista * Skype: tiffanybbrown

Received on Monday, 12 November 2012 16:28:18 UTC