Re: [whatwg] Controlling the User-Agent header from script

On Tue, Oct 14, 2014 at 12:06 AM, Anne van Kesteren <> wrote:
> On Tue, Oct 14, 2014 at 1:02 AM, Jonas Sicking <> wrote:
>> We'd definitely need to treat the header as a content-set header from
>> a CORS perspective. Otherwise we'd have problems not just with pages
>> behind firewalls, but also websites that use cookies for
>> authentication. I.e. most websites.
> I thought maybe if we just allow it to be omitted (and not set to any
> value) it would be okay. Just like we allow Referrer to be omitted.
> But maybe not.

I'd rather not. Seems like an unknown amount of risk for a pretty low
value. I would imagine that the main use case is to set a different
UA, not remove the UA.

/ Jonas

Received on Tuesday, 14 October 2014 09:39:09 UTC