W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2014

Re: [whatwg] Controlling the User-Agent header from script

From: Nils Dagsson Moskopp <nils@dieweltistgarnichtso.net>
Date: Tue, 14 Oct 2014 01:12:51 +0200
To: rescator@emsai.net, whatwg@lists.whatwg.org
Message-ID: <87iojnsgwc.fsf@dieweltistgarnichtso.net>
Roger Hågensen <rescator@emsai.net> writes:

> On 2014-10-13 16:16, Nils Dagsson Moskopp wrote:
>> Anne van Kesteren <annevk@annevk.nl> writes:
>>
>>> Per XMLHttpRequest User-Agent has been off limits for script.
>> Reporting UA “Mozilla/4.0 (MSIE 6.0';DROP TABLE browsers;--"<u>{!=&})”
>> broke hilariously many sites when I did have set it as my default UA
>> string, even though I think it conforms to RFC 2616, section 14.43.
>>
> Again, that's a server security issue and not a browser one, attackers 
> would never use a "nice" browser for attacks anyway,

I suspect with some XSS, this might be able to tear a new security hole
with a feature that primarily provides cosmetic benefits.

> what point is there in background checks for security guards if the 
> window is always open so anyone can get in? ;)
>
> Also, a script being able to set a custom XMLHttpRequest User-Agent 
> would be nice.
> Not necessarily replace the whole thing but maybe concatenate to the end 
> of the browser one?

I'd rather have a prefix, as the RFC says that UA tokens are in
decreasing significance. Does that mean compatibility problems?

-- 
Nils Dagsson Moskopp // erlehmann
<http://dieweltistgarnichtso.net>
Received on Monday, 13 October 2014 23:13:33 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC