- From: Erling Ellingsen <notifications@github.com>
- Date: Tue, 07 Apr 2015 05:24:33 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
Received on Tuesday, 7 April 2015 12:25:03 UTC
There is value in having a reliable user-agent header. Historically we've had some browser bugs where it was possible to protect the user server-side, but where the fix would be too expensive (in terms of cost, perf or user annoyance) to apply to all users. More commonly, a new browser feature might allow some feature to be reimplemented in a more secure way; with a reliable user-agent header, it's easy to disable the "unsafe" back-compat implementation in decent browsers. If a malicious script can lie about the browser version, protecting against such attacks becomes a lot harder. (The fact that this is same-origin-or-CORS-only helps a lot, of course, but not in the case where the particular browser bug is that the browser is confused about what counts as the same origin...) Would a solution where the user data is either appended or prepended to the 'responsible' user agent be an acceptable compromise? --- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/37#issuecomment-90532230
Received on Tuesday, 7 April 2015 12:25:03 UTC