- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 13 Oct 2014 16:02:24 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WHATWG <whatwg@whatwg.org>
On Mon, Oct 13, 2014 at 6:53 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > Per XMLHttpRequest User-Agent has been off limits for script. Should > we keep it that way for fetch()? Would it be harmful to allow it to be > omitted? > > https://github.com/slightlyoff/ServiceWorker/issues/399 > > A possible attack I can think of would be an firewall situation that > uses the User-Agent header as authentication check for certain > resources. We'd definitely need to treat the header as a content-set header from a CORS perspective. Otherwise we'd have problems not just with pages behind firewalls, but also websites that use cookies for authentication. I.e. most websites. I still have some concerns about this. Though I can't think of any problems off the top of my head. I suspect we'll want to run this past our security team to make sure we're not missing anything. FWIW, I don't think there's any difference between XHR and fetch(). If we enable this for fetch(), I don't see a reason not to enable it for XHR as well since it should mainly involve removing "User-Agent" from some internal blacklist in the code. / Jonas
Received on Monday, 13 October 2014 23:03:24 UTC