On 10/13/12 5:08 AM, Hallvord R. M. Steen wrote:
I came across an article [1] that describes some of the reasoning for Flash's change in security policy when it banned setting User-Agent. Apparently, some sites echo the User-Agent value back in markup in certain contexts (maybe a "browser requirements" page for example).
And naturally do not send "Vary: User-Agent"?
However, another threat might be using an XHR request to put a generated page with injected content in the browser's cache, then opening the page directly in a new window. The page would likely be taken from cache
This seems simple enough to deal with on the browser side: Assume "Vary: User-Agent" on all requests. Probably a good idea anyway.
-Boris
