W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2014

Re: [whatwg] Controlling the User-Agent header from script

From: Nils Dagsson Moskopp <nils@dieweltistgarnichtso.net>
Date: Mon, 13 Oct 2014 16:16:04 +0200
To: Anne van Kesteren <annevk@annevk.nl>, WHATWG <whatwg@whatwg.org>
Message-ID: <87bnpg9hsr.fsf@dieweltistgarnichtso.net>
Anne van Kesteren <annevk@annevk.nl> writes:

> Per XMLHttpRequest User-Agent has been off limits for script. Should
> we keep it that way for fetch()? Would it be harmful to allow it to be
> omitted?
>
> https://github.com/slightlyoff/ServiceWorker/issues/399
>
> A possible attack I can think of would be an firewall situation that
> uses the User-Agent header as authentication check for certain
> resources.

Reporting UA “Mozilla/4.0 (MSIE 6.0';DROP TABLE browsers;--"<u>{!=&})”
broke hilariously many sites when I did have set it as my default UA
string, even though I think it conforms to RFC 2616, section 14.43.

-- 
Nils Dagsson Moskopp // erlehmann
<http://dieweltistgarnichtso.net>
Received on Monday, 13 October 2014 14:16:46 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC