Re: [XHR] Open issue: allow setting User-Agent?

On 10/13/12 5:08 AM, Hallvord R. M. Steen wrote:
> I came across an article [1] that describes some of the reasoning for
> Flash's change in security policy when it banned setting User-Agent.
> Apparently, some sites echo the User-Agent value back in markup in
> certain contexts (maybe a "browser requirements" page for example).

And naturally do not send "Vary: User-Agent"?

> However, another threat might be using an XHR request to put a
> generated page with injected content in the browser's cache, then
> opening the page directly in a new window. The page would likely be
> taken from cache

This seems simple enough to deal with on the browser side: Assume "Vary: 
User-Agent" on all requests.  Probably a good idea anyway.

-Boris

Received on Saturday, 13 October 2012 15:49:15 UTC