I agree the use cases do not seem compelling. But I know I'm generally surprised by what people can and will do. What problem did you encounter that would have necessitated to change the User-Agent string, Hallvord? Is it because of sites sniffing the wrong way? If so, I tend to agree with Anne that this shouldn't be fixed in the XHR spec. Just think what a malicious script could do to browser usage statistics (of course, no browser vendor would ever try and rig the stats ;)). Also, there actually are security concerns. While I trust open-source browsers (and mainstream close-source ones) not to try and trick servers into malicious operations, I can't say the same for the whole web, especially malicious ad scripts.
Le mardi 9 octobre 2012, Anne van Kesteren a écrit : > On Tue, Oct 9, 2012 at 2:11 PM, Hallvord R. M. Steen > <[email protected]<javascript:;>> > wrote: > > Personally I'm strongly in favour of removing User-Agent from the list of > > prohibited headers. As an author I've experienced problems I could not > solve > > due to this limitation. > > The use cases do not seem very compelling to me and I believe it was > once stated that allowing full control would be a security risk. > Developers can always set their own header to identify their scripts. > > (If you mean this would help you from browser.js or similar such > scripts I would lobby for making exceptions there, rather than for the > whole web.) > > > -- > http://annevankesteren.nl/ >
