- From: Hallvord R. M. Steen <hallvord@opera.com>
- Date: Sat, 13 Oct 2012 09:08:22 +0000
- To: Julian Aubourg <j@ubourg.net>
- Cc: public-webapps@w3.org
I came across an article [1] that describes some of the reasoning for Flash's change in security policy when it banned setting User-Agent. Apparently, some sites echo the User-Agent value back in markup in certain contexts (maybe a "browser requirements" page for example). Being able to set User-Agent from web content thus might cause XSS issues for such pages. These backends never had any reason to filter the User-Agent string before, so they probably don't. Obviously, any XSS-injected scripts would not run as a result of simply loading the content with XHR (or Flash) - scripts in the response are not executed unless more steps are taken like jQuery's global eval taking SCRIPT tags from received markup and inserting them into the page. However, another threat might be using an XHR request to put a generated page with injected content in the browser's cache, then opening the page directly in a new window. The page would likely be taken from cache, and the XSS would be successful. So it seems reasonable to keep the limitation on setting User-Agent. (I'm still wondering if we could lift it only for the cross-domain case where the target site must opt in to receiving a changed UA string though..) [1] http://www.securityfocus.com/archive/1/441014
Received on Saturday, 13 October 2012 09:08:56 UTC