On Tue, Oct 14, 2014 at 12:06 AM, Anne van Kesteren <ann...@annevk.nl> wrote: > On Tue, Oct 14, 2014 at 1:02 AM, Jonas Sicking <jo...@sicking.cc> wrote: >> We'd definitely need to treat the header as a content-set header from >> a CORS perspective. Otherwise we'd have problems not just with pages >> behind firewalls, but also websites that use cookies for >> authentication. I.e. most websites. > > I thought maybe if we just allow it to be omitted (and not set to any > value) it would be okay. Just like we allow Referrer to be omitted. > But maybe not.
I'd rather not. Seems like an unknown amount of risk for a pretty low value. I would imagine that the main use case is to set a different UA, not remove the UA. / Jonas
