- From: Nils Dagsson Moskopp <nils@dieweltistgarnichtso.net>
- Date: Tue, 14 Oct 2014 01:12:51 +0200
- To: rescator@emsai.net, whatwg@lists.whatwg.org
Roger Hågensen <rescator@emsai.net> writes: > On 2014-10-13 16:16, Nils Dagsson Moskopp wrote: >> Anne van Kesteren <annevk@annevk.nl> writes: >> >>> Per XMLHttpRequest User-Agent has been off limits for script. >> Reporting UA “Mozilla/4.0 (MSIE 6.0';DROP TABLE browsers;--"<u>{!=&})” >> broke hilariously many sites when I did have set it as my default UA >> string, even though I think it conforms to RFC 2616, section 14.43. >> > Again, that's a server security issue and not a browser one, attackers > would never use a "nice" browser for attacks anyway, I suspect with some XSS, this might be able to tear a new security hole with a feature that primarily provides cosmetic benefits. > what point is there in background checks for security guards if the > window is always open so anyone can get in? ;) > > Also, a script being able to set a custom XMLHttpRequest User-Agent > would be nice. > Not necessarily replace the whole thing but maybe concatenate to the end > of the browser one? I'd rather have a prefix, as the RFC says that UA tokens are in decreasing significance. Does that mean compatibility problems? -- Nils Dagsson Moskopp // erlehmann <http://dieweltistgarnichtso.net>
Received on Monday, 13 October 2014 23:13:33 UTC