- From: Hallvord R. M. Steen <hallvord@opera.com>
- Date: Tue, 09 Oct 2012 15:29:11 +0200
- To: "Anne van Kesteren" <annevk@annevk.nl>
- Cc: "Julian Aubourg" <j@ubourg.net>, "Jungkee Song" <jungkee.song@samsung.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Anne van Kesteren <annevk@annevk.nl> skreiv Tue, 09 Oct 2012 15:13:00 +0200 > it was once stated that allowing full control would be a security risk. I don't think this argument has really been substantiated for the User-Agent header. I don't really see what security problems setting User-Agent can cause. (To be honest, I think the list of disallowed headers in the current spec was something we copied from Macromedia's policy for Flash without much debate for each item). > (If you mean this would help you from browser.js or similar such > scripts I would lobby for making exceptions there, rather than for the > whole web.) Well, browser.js and user scripts *is* one use case but I fully agree that those are special cases that should not guide spec development. However, if you consider the CORS angle you'll see that scripts out there are already being written to interact with another site's backend, and such scripts may face the same challenges as a user script or extension using XHR including backend sniffing. That's why experience from user.js development is now relevant for general web tech, and why I'm making this argument. -- Hallvord R. M. Steen Core tester, Opera Software
Received on Tuesday, 9 October 2012 13:30:30 UTC