W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2017

Proposal to advertise automation of UA

From: Sergey Shekyan <shekyan@gmail.com>
Date: Fri, 13 Jan 2017 17:11:08 -0800
Message-ID: <CAPkvmc9uut4dUAtZX9+5hsZWqZjtQ3Wh4D+kCcpfaOOE_8m0Zg@mail.gmail.com>
To: public-webappsec@w3.org
Website authors may wish to respond differently to user agents controlled
through automated means, or even not respond at all. Certain kinds of
website interactions may be considered acceptable for automation, but
others may not be.

I think that attaching a HTTP request header to synthetically initiated
navigation requests (https://fetch.spec.whatwg.org/#navigation-request)
will help authors to build more reliable mechanisms to detect unwanted
automation. This approach seems to be convenient for both the web
application author and user agent implementers, but there may also be other
ways to expose this information to the web application, so I am open to
hearing alternative suggestions.

The presence or absence of this header should not be interpreted on its
own, but rather as one part of a defense-in-depth solution to help reduce
unwanted automation.

Many websites already employ non-standard mechanisms to detect automation
tools. It would be nice to provide well-behaved automation tooling a way to
announce itself so that web application authors may respond appropriately.
Received on Saturday, 14 January 2017 01:12:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC