W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2014

Re: [whatwg] Controlling the User-Agent header from script

From: Roger Hågensen <rescator@emsai.net>
Date: Tue, 14 Oct 2014 00:54:44 +0200
Message-ID: <543C5834.3070802@emsai.net>
To: whatwg@lists.whatwg.org
On 2014-10-13 16:16, Nils Dagsson Moskopp wrote:
> Anne van Kesteren <annevk@annevk.nl> writes:
>
>> Per XMLHttpRequest User-Agent has been off limits for script.
> Reporting UA “Mozilla/4.0 (MSIE 6.0';DROP TABLE browsers;--"<u>{!=&})”
> broke hilariously many sites when I did have set it as my default UA
> string, even though I think it conforms to RFC 2616, section 14.43.
>
Again, that's a server security issue and not a browser one, attackers 
would never use a "nice" browser for attacks anyway,
what point is there in background checks for security guards if the 
window is always open so anyone can get in? ;)

Also, a script being able to set a custom XMLHttpRequest User-Agent 
would be nice.
Not necessarily replace the whole thing but maybe concatenate to the end 
of the browser one?
That way a webmaster would be able to see that the request is from 
script Blah v0.9 when it really should be Blah v1.0 for example.
I always make sure that any Software I make uses a custom User-Agent, 
same goes for any PHP scripts and so on, ditto if I use CURL, that way 
the logs on the server will provide some insight.

-- 
Roger "Rescator" Hågensen.
Freelancer - http://www.EmSai.net/
Received on Monday, 13 October 2014 22:55:15 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC