Re: [whatwg] Controlling the User-Agent header from script

On 2014-10-13 15:53, Anne van Kesteren wrote:
> Per XMLHttpRequest User-Agent has been off limits for script. Should
> we keep it that way for fetch()? Would it be harmful to allow it to be
> omitted?
> A possible attack I can think of would be an firewall situation that
> uses the User-Agent header as authentication check for certain
> resources.
That's a server security issue and not a browser one, attackers would 
never use a "nice" browser for attacks anyway,
what point is there in background checks for security guards if the 
window is always open so anyone can get in? ;)

Roger "Rescator" Hågensen.
Freelancer -

Received on Monday, 13 October 2014 22:48:19 UTC