Anne van Kesteren <ann...@annevk.nl> writes: > Per XMLHttpRequest User-Agent has been off limits for script. Should > we keep it that way for fetch()? Would it be harmful to allow it to be > omitted? > > https://github.com/slightlyoff/ServiceWorker/issues/399 > > A possible attack I can think of would be an firewall situation that > uses the User-Agent header as authentication check for certain > resources.
Reporting UA “Mozilla/4.0 (MSIE 6.0';DROP TABLE browsers;--"<u>{!=&})” broke hilariously many sites when I did have set it as my default UA string, even though I think it conforms to RFC 2616, section 14.43. -- Nils Dagsson Moskopp // erlehmann <http://dieweltistgarnichtso.net>