- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 14 Oct 2014 02:38:01 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WHATWG <whatwg@whatwg.org>
On Tue, Oct 14, 2014 at 12:06 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Tue, Oct 14, 2014 at 1:02 AM, Jonas Sicking <jonas@sicking.cc> wrote: >> We'd definitely need to treat the header as a content-set header from >> a CORS perspective. Otherwise we'd have problems not just with pages >> behind firewalls, but also websites that use cookies for >> authentication. I.e. most websites. > > I thought maybe if we just allow it to be omitted (and not set to any > value) it would be okay. Just like we allow Referrer to be omitted. > But maybe not. I'd rather not. Seems like an unknown amount of risk for a pretty low value. I would imagine that the main use case is to set a different UA, not remove the UA. / Jonas
Received on Tuesday, 14 October 2014 09:39:09 UTC