- From: Sergey Shekyan <shekyan@gmail.com>
- Date: Fri, 13 Jan 2017 17:11:08 -0800
- To: public-webappsec@w3.org
- Message-ID: <CAPkvmc9uut4dUAtZX9+5hsZWqZjtQ3Wh4D+kCcpfaOOE_8m0Zg@mail.gmail.com>
Website authors may wish to respond differently to user agents controlled through automated means, or even not respond at all. Certain kinds of website interactions may be considered acceptable for automation, but others may not be. I think that attaching a HTTP request header to synthetically initiated navigation requests (https://fetch.spec.whatwg.org/#navigation-request) will help authors to build more reliable mechanisms to detect unwanted automation. This approach seems to be convenient for both the web application author and user agent implementers, but there may also be other ways to expose this information to the web application, so I am open to hearing alternative suggestions. The presence or absence of this header should not be interpreted on its own, but rather as one part of a defense-in-depth solution to help reduce unwanted automation. Many websites already employ non-standard mechanisms to detect automation tools. It would be nice to provide well-behaved automation tooling a way to announce itself so that web application authors may respond appropriately.
Received on Saturday, 14 January 2017 01:12:02 UTC