Re: [XHR] Open issue: allow setting User-Agent?

On Tue, Oct 9, 2012 at 9:29 AM, Hallvord R. M. Steen <hallvord@opera.com>wrote:

> Anne van Kesteren <annevk@annevk.nl> skreiv Tue, 09 Oct 2012 15:13:00
> +0200
>
>
>  it was once stated that allowing full control would be a security risk.
>>
>
> I don't think this argument has really been substantiated for the
> User-Agent header. I don't really see what security problems setting
> User-Agent can cause.
>
> (To be honest, I think the list of disallowed headers in the current spec
> was something we copied from Macromedia's policy for Flash without much
> debate for each item).
>
>
>  (If you mean this would help you from browser.js or similar such
>> scripts I would lobby for making exceptions there, rather than for the
>> whole web.)
>>
>
> Well, browser.js and user scripts *is* one use case but I fully agree that
> those are special cases that should not guide spec development.
>
> However, if you consider the CORS angle you'll see that scripts out there
> are already being written to interact with another site's backend, and such
> scripts may face the same challenges as a user script or extension using
> XHR including backend sniffing. That's why experience from user.js
> development is now relevant for general web tech, and why I'm making this
> argument.
>
>
> --
> Hallvord R. M. Steen
> Core tester, Opera Software
>

I agree with Hallvord, I cannot think of any additional *real* security
risk involved with setting the User-Agent header.  Particularly in a CORS
situation, the server-side will (should) already be authenticating the
origin and request headers accordingly.  If there truly is a compelling
case for a server to only serve to Browser XYZ that is within scope of the
open web platform, I'd really like to hear that.

Jarred

Received on Tuesday, 9 October 2012 14:06:55 UTC