Re: [XHR] Open issue: allow setting User-Agent?

I came across an article [1] that describes some of the reasoning for  
Flash's change in security policy when it banned setting User-Agent.  
Apparently, some sites echo the User-Agent value back in markup in  
certain contexts (maybe a "browser requirements" page for example).  
Being able to set User-Agent from web content thus might cause XSS  
issues for such pages. These backends never had any reason to filter  
the User-Agent string before, so they probably don't.

Obviously, any XSS-injected scripts would not run as a result of  
simply loading the content with XHR (or Flash) - scripts in the  
response are not executed unless more steps are taken like jQuery's  
global eval taking SCRIPT tags from received markup and inserting them  
into the page. However, another threat might be using an XHR request  
to put a generated page with injected content in the browser's cache,  
then opening the page directly in a new window. The page would likely  
be taken from cache, and the XSS would be successful. So it seems  
reasonable to keep the limitation on setting User-Agent. (I'm still  
wondering if we could lift it only for the cross-domain case where the  
target site must opt in to receiving a changed UA string though..)

[1] http://www.securityfocus.com/archive/1/441014

Received on Saturday, 13 October 2012 09:08:56 UTC