I agree the use cases do not seem compelling. But I know I'm generally
surprised by what people can and will do. What problem did you encounter
that would have necessitated to change the User-Agent string, Hallvord? Is
it because of sites sniffing the wrong way? If so, I tend to agree with
Anne that this shouldn't be fixed in the XHR spec. Just think what a
malicious script could do to browser usage statistics (of course, no
browser vendor would ever try and rig the stats ;)). Also, there actually
are security concerns. While I trust open-source browsers (and mainstream
close-source ones) not to try and trick servers into malicious operations,
I can't say the same for the whole web, especially malicious ad scripts.
Le mardi 9 octobre 2012, Anne van Kesteren a écrit :
> On Tue, Oct 9, 2012 at 2:11 PM, Hallvord R. M. Steen <hallvord@opera.com<javascript:;>>
> wrote:
> > Personally I'm strongly in favour of removing User-Agent from the list of
> > prohibited headers. As an author I've experienced problems I could not
> solve
> > due to this limitation.
>
> The use cases do not seem very compelling to me and I believe it was
> once stated that allowing full control would be a security risk.
> Developers can always set their own header to identify their scripts.
>
> (If you mean this would help you from browser.js or similar such
> scripts I would lobby for making exceptions there, rather than for the
> whole web.)
>
>
> --
> http://annevankesteren.nl/
>