On Tue, Oct 9, 2012 at 9:29 AM, Hallvord R. M. Steen <hallv...@opera.com>wrote:
> Anne van Kesteren <ann...@annevk.nl> skreiv Tue, 09 Oct 2012 15:13:00 > +0200 > > > it was once stated that allowing full control would be a security risk. >> > > I don't think this argument has really been substantiated for the > User-Agent header. I don't really see what security problems setting > User-Agent can cause. > > (To be honest, I think the list of disallowed headers in the current spec > was something we copied from Macromedia's policy for Flash without much > debate for each item). > > > (If you mean this would help you from browser.js or similar such >> scripts I would lobby for making exceptions there, rather than for the >> whole web.) >> > > Well, browser.js and user scripts *is* one use case but I fully agree that > those are special cases that should not guide spec development. > > However, if you consider the CORS angle you'll see that scripts out there > are already being written to interact with another site's backend, and such > scripts may face the same challenges as a user script or extension using > XHR including backend sniffing. That's why experience from user.js > development is now relevant for general web tech, and why I'm making this > argument. > > > -- > Hallvord R. M. Steen > Core tester, Opera Software > I agree with Hallvord, I cannot think of any additional *real* security risk involved with setting the User-Agent header. Particularly in a CORS situation, the server-side will (should) already be authenticating the origin and request headers accordingly. If there truly is a compelling case for a server to only serve to Browser XYZ that is within scope of the open web platform, I'd really like to hear that. Jarred