W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2017

Re: Proposal to advertise automation of UA

From: Sergey Shekyan <shekyan@gmail.com>
Date: Sat, 14 Jan 2017 01:25:25 -0800
Message-ID: <CAPkvmc-4Wy+MhL8sOW8amVtn0_TZ1w9JS+3OmSTQ-94Gx6-mtw@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
I am talking about tools that automate user agents, e.g. headless browsers
(PhantomJS, SlimerJS, headless Chrome), Selenium, curl, etc.
I mentioned navigation requests as don't see so far how advertising
automation to non-navigation requests would help.
Another option to advertise can be a property on navigator object, which
would defer possible actions by authors to second request.


On Sat, Jan 14, 2017 at 12:56 AM, Daniel Veditz <dveditz@mozilla.com> wrote:

> On Fri, Jan 13, 2017 at 5:11 PM, Sergey Shekyan <shekyan@gmail.com> wrote:
>
>> I think that attaching a HTTP request header to synthetically initiated
>> navigation requests (https://fetch.spec.whatwg.org/#navigation-request)
>> will help authors to build more reliable mechanisms to detect unwanted
>> automation.
>>
>
> ​I don't see anything in that spec about "synthetic" navigation requests.
> Where would you define that? How would you define that? Is a scripted
> window.open() in a browser "synthetic"? what about an iframe in a page?
> Does it matter if the user expected the iframe to be there or not (such as
> ads)? What if the page had 100 iframes?
>
> Are you trying to solve the same problem robots.txt is trying to solve? If
> not what kind of automation are you talking about?​
>
> -
> ​Dan Veditz​
>
>
Received on Saturday, 14 January 2017 09:26:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC