Ignore:
Timestamp:
Oct 18, 2010, 10:47:51 PM (9 years ago)
Author:
mnot@…
Message:

Expound upon appropriate use and content of User-Agent; addresses #232.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p2-semantics.xml

    r1030 r1032  
    22842284  <x:anchor-alias value="User-Agent"/>
    22852285  <x:anchor-alias value="User-Agent-v"/>
    2286 <t>
    2287    The "User-Agent" request-header field contains information about the
    2288    user agent originating the request. This is for statistical purposes,
    2289    the tracing of protocol violations, and automated recognition of user
    2290    agents for the sake of tailoring responses to avoid particular user
    2291    agent limitations.
    2292 </t>
    2293 <t>
    2294    User agents &SHOULD; include this field with requests. The field can contain
    2295    multiple product tokens (&product-tokens;) and comments (&header-fields;)
    2296    identifying the agent and any subproducts which form a significant part of
    2297    the user agent. By convention, the product tokens are listed in order of
    2298    their significance for identifying the application.
    2299 </t>
     2286
     2287  <t>The "User-Agent" request-header field contains information about the user
     2288  agent originating the request. User agents &SHOULD; include this field with
     2289  requests.</t>
     2290
     2291  <t>Typically, it is used for statistical purposes, the tracing of protocol
     2292  violations, and tailoring responses to avoid particular user agent
     2293  limitations.</t>
     2294
     2295  <t>The field can contain multiple product tokens (&product-tokens;)
     2296  and comments (&header-fields;) identifying the agent and its
     2297  significant subproducts. By convention, the product tokens are listed in
     2298  order of their significance for identifying the application.</t>
     2299
     2300  <t>Because this field is usually sent on every request a user agent makes,
     2301  implementations are encouraged not to include needlessly fine-grained
     2302  detail, and to limit (or even prohibit) the addition of subproducts by third
     2303  parties. Overly long and detailed User-Agent field values make requests
     2304  larger and can also be used to identify ("fingerprint") the user against
     2305  their wishes.</t>
     2306
     2307  <t>Likewise, implementations are encouraged not to use the product tokens of
     2308  other implementations in order to declare compatibility with them, as this
     2309  circumvents the purpose of the field. Finally, they are encouraged not to
     2310  use comments to identify products; doing so makes the field value more
     2311  difficult to parse.</t>
     2312
    23002313<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="User-Agent"/><iref primary="true" item="Grammar" subitem="User-Agent-v"/>
    23012314  <x:ref>User-Agent</x:ref>     = "User-Agent" ":" <x:ref>OWS</x:ref> <x:ref>User-Agent-v</x:ref>
     
    27042717   Referer information.
    27052718</t>
    2706 <t>
    2707    The User-Agent (<xref target="header.user-agent"/>) or Server (<xref target="header.server"/>) header
    2708    fields can sometimes be used to determine that a specific client or
    2709    server have a particular security hole which might be exploited.
    2710    Unfortunately, this same information is often used for other valuable
    2711    purposes for which HTTP currently has no better mechanism.
    2712 </t>
     2719
     2720  <t>The User-Agent (<xref target="header.user-agent"/>) or Server (<xref
     2721  target="header.server"/>) header fields can sometimes be used to determine
     2722  that a specific client or server have a particular security hole which might
     2723  be exploited. Unfortunately, this same information is often used for other
     2724  valuable purposes for which HTTP currently has no better mechanism.</t>
     2725
     2726  <t>Furthermore, the User-Agent header field may contain enough entropy to be
     2727  used, possibly in conjunction with other material, to uniquely identify the
     2728  user.</t>
     2729
    27132730<t>
    27142731   Some methods, like TRACE (<xref target="TRACE"/>), expose information
Note: See TracChangeset for help on using the changeset viewer.