Jungkee Song <[email protected]> skreiv Thu, 11 Oct 2012 10:56:53
+0200
IMO browser spoofing either through the browser's main HTTP request or
XHR request is not the ultimate way to handle the browser sniffing
issues in practical service scenarios.
Well, it would be a lot nicer to write specs for an ideal "ultimate" world
for sure ;-)
In *this* world, this limits what script authors can do in a way that will
leave them unable to solve some problems.
However, that MAY still be a reasonable decision if there are good reasons
to do so! I agree with you that this is a judgement call with both pros
and cons.
In this specific case I don't understand the full reasoning behind the
limitation. Some of the rationale sounds more like "we think somebody once
may have said it would cause a security problem". And I would like us to
have a stronger rationale and more evidence when we limit what authors are
allowed to do.
Maybe other members of public-webapps could help me out by suggesting
threat scenarios and use cases where this limitation seems relevant?
--
Hallvord R. M. Steen
Core tester, Opera Software
