> The language part currently shows the language of the used chrome
> localization. The HTTP explicitly discourages revealing the UI language
> to the site.
Why is that? And why is it in the UA standard then?
> I suggest to always return "en".
> We have the Accept-Language HTTP header, which is the official way and
> which can be customized by the user.
> Later, we could use that pref to determine which language to report in
> the UA-string, but I don't know of pages which use the value in the
> UA-string or the JavaScript-function, so that is not high on my priority
> list.
The user-agent string is already a pref, isn't it?
> Bug 57555
> Currently, we reveal the exact version number (up to the build number on
> newer OSes) of Windows. That allows for targetted attacks to exploit the
> known security holes of the particular OS version. I don't see a reason
> why I site would *need* to know that, at least non that would justify
> the risk for the user. Thus, I have a patch to return on of 3 values:
>
> * "WinNT" for Windows NT 3.x, 4.0, W2K, Windows XP etc.
I think there should be more of a distinction in this list, although I
don't know where the line shold be drawn.
> * "Win9x" for Win95, 98, ME
> * "Win" as fallback
What's the point? If an attacker can't decide whether a browser is
vulnerable or not, he'll just launch the attack anyway. How does this
help?
Gerv
