- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Sat, 13 Oct 2012 11:48:47 -0400
- To: public-webapps@w3.org
On 10/13/12 5:08 AM, Hallvord R. M. Steen wrote: > I came across an article [1] that describes some of the reasoning for > Flash's change in security policy when it banned setting User-Agent. > Apparently, some sites echo the User-Agent value back in markup in > certain contexts (maybe a "browser requirements" page for example). And naturally do not send "Vary: User-Agent"? > However, another threat might be using an XHR request to put a > generated page with injected content in the browser's cache, then > opening the page directly in a new window. The page would likely be > taken from cache This seems simple enough to deal with on the browser side: Assume "Vary: User-Agent" on all requests. Probably a good idea anyway. -Boris
Received on Saturday, 13 October 2012 15:49:15 UTC