Changeset 1032 for draft-ietf-httpbis/latest/p2-semantics.xml

Timestamp:

Oct 18, 2010, 10:47:51 PM (9 years ago)

Author:

mnot@…

Message:

Expound upon appropriate use and content of User-Agent; addresses #232.

File:

• draft-ietf-httpbis/latest/p2-semantics.xml (modified) (2 diffs)

draft-ietf-httpbis/latest/p2-semantics.xml

@@ -2284 +2284 @@
   <x:anchor-alias value="User-Agent"/>
   <x:anchor-alias value="User-Agent-v"/>
-<t>
-   The "User-Agent" request-header field contains information about the
-   user agent originating the request. This is for statistical purposes,
-   the tracing of protocol violations, and automated recognition of user
-   agents for the sake of tailoring responses to avoid particular user
-   agent limitations.
-</t>
-<t>
-   User agents &SHOULD; include this field with requests. The field can contain
-   multiple product tokens (&product-tokens;) and comments (&header-fields;)
-   identifying the agent and any subproducts which form a significant part of
-   the user agent. By convention, the product tokens are listed in order of
-   their significance for identifying the application.
-</t>
+
+  <t>The "User-Agent" request-header field contains information about the user
+  agent originating the request. User agents &SHOULD; include this field with
+  requests.</t>
+
+  <t>Typically, it is used for statistical purposes, the tracing of protocol
+  violations, and tailoring responses to avoid particular user agent
+  limitations.</t>
+
+  <t>The field can contain multiple product tokens (&product-tokens;)
+  and comments (&header-fields;) identifying the agent and its
+  significant subproducts. By convention, the product tokens are listed in
+  order of their significance for identifying the application.</t>
+
+  <t>Because this field is usually sent on every request a user agent makes,
+  implementations are encouraged not to include needlessly fine-grained
+  detail, and to limit (or even prohibit) the addition of subproducts by third
+  parties. Overly long and detailed User-Agent field values make requests
+  larger and can also be used to identify ("fingerprint") the user against
+  their wishes.</t>
+
+  <t>Likewise, implementations are encouraged not to use the product tokens of
+  other implementations in order to declare compatibility with them, as this
+  circumvents the purpose of the field. Finally, they are encouraged not to
+  use comments to identify products; doing so makes the field value more
+  difficult to parse.</t>
+
 <figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="User-Agent"/><iref primary="true" item="Grammar" subitem="User-Agent-v"/>
   <x:ref>User-Agent</x:ref>     = "User-Agent" ":" <x:ref>OWS</x:ref> <x:ref>User-Agent-v</x:ref>
@@ -2704 +2717 @@
    Referer information.
 </t>
-<t>
-   The User-Agent (<xref target="header.user-agent"/>) or Server (<xref target="header.server"/>) header
-   fields can sometimes be used to determine that a specific client or
-   server have a particular security hole which might be exploited.
-   Unfortunately, this same information is often used for other valuable
-   purposes for which HTTP currently has no better mechanism.
-</t>
+
+  <t>The User-Agent (<xref target="header.user-agent"/>) or Server (<xref
+  target="header.server"/>) header fields can sometimes be used to determine
+  that a specific client or server have a particular security hole which might
+  be exploited. Unfortunately, this same information is often used for other
+  valuable purposes for which HTTP currently has no better mechanism.</t>
+
+  <t>Furthermore, the User-Agent header field may contain enough entropy to be
+  used, possibly in conjunction with other material, to uniquely identify the
+  user.</t>
+
 <t>
    Some methods, like TRACE (<xref target="TRACE"/>), expose information