Should XHR allow scripts to set User-Agent?
Cons:
* The spec suggests the limitation helps ensure some "data integrity"
* Slight back-compat risks if we encounter scripts that attempt to set
User-Agent on sites with backends that expect nomal browser UA strings.
This may sound far-fetched but some sites do "fingerprint" the browser by
the value of various headers and use this "fingerprint" as a security
measure.
Pros:
* We should try to avoid imposing limitations on scripts, except when
careful reasoning suggests we need those limitations
* User-Agent is not a very useful header in the first place, backends
should not rely on it
* Allowing it can help scripts work around broken backends that DO abuse
User-Agent - particularly useful with CORS, where one might want to get
data from a site that allows cross-origin usage but has backend browser
sniffing/blocking
* Conceptually, a JavaScript making HTTP requests can also claim to be
acting on behalf of the user, being the user's "Agent".
Personally I'm strongly in favour of removing User-Agent from the list of
prohibited headers. As an author I've experienced problems I could not
solve due to this limitation.
--
Hallvord R. M. Steen
Core tester, Opera Software
