I came across an article [1] that describes some of the reasoning for
Flash's change in security policy when it banned setting User-Agent.
Apparently, some sites echo the User-Agent value back in markup in
certain contexts (maybe a "browser requirements" page for example).
Being able to set User-Agent from web content thus might cause XSS
issues for such pages. These backends never had any reason to filter
the User-Agent string before, so they probably don't.
Obviously, any XSS-injected scripts would not run as a result of
simply loading the content with XHR (or Flash) - scripts in the
response are not executed unless more steps are taken like jQuery's
global eval taking SCRIPT tags from received markup and inserting them
into the page. However, another threat might be using an XHR request
to put a generated page with injected content in the browser's cache,
then opening the page directly in a new window. The page would likely
be taken from cache, and the XSS would be successful. So it seems
reasonable to keep the limitation on setting User-Agent. (I'm still
wondering if we could lift it only for the cross-domain case where the
target site must opt in to receiving a changed UA string though..)
[1] http://www.securityfocus.com/archive/1/441014