W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2014

Re: [whatwg] Controlling the User-Agent header from script

From: Roger Hågensen <rescator@emsai.net>
Date: Tue, 14 Oct 2014 00:47:47 +0200
Message-ID: <543C5693.3050009@emsai.net>
To: whatwg@lists.whatwg.org
On 2014-10-13 15:53, Anne van Kesteren wrote:
> Per XMLHttpRequest User-Agent has been off limits for script. Should
> we keep it that way for fetch()? Would it be harmful to allow it to be
> omitted?
>
> https://github.com/slightlyoff/ServiceWorker/issues/399
>
> A possible attack I can think of would be an firewall situation that
> uses the User-Agent header as authentication check for certain
> resources.
>
>
That's a server security issue and not a browser one, attackers would 
never use a "nice" browser for attacks anyway,
what point is there in background checks for security guards if the 
window is always open so anyone can get in? ;)

-- 
Roger "Rescator" Hågensen.
Freelancer - http://www.EmSai.net/
Received on Monday, 13 October 2014 22:48:19 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC