Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Freezing the User-Agent header

From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 24 Feb 2020 21:04:59 +0100 (CET)

On Mon, 24 Feb 2020, Tim Rühsen via curl-library wrote:

> as freezing the User-Agent header is currently a thing, I would like to ask
> the curl community about their opinions.
>
> The reason for freezing is to reveal less privacy data and make
> fingerprinting harder.

Those are part of the reasons we reduced the curl user-agent many years ago
[1]. I don't think we're in the same situation as the crazy headers of the
browsers. The curl user-agent header as of right now is a very small privacy
leak.

But also, I don't think the version number in the header is very useful other
than in a subset of debugging cases so I wouldn't be upset if we would remove
that as well...

I've not personally planned on reducing it further. Also note that libcurl
itself has no default user-agent header at all.

> Omitting User-Agent is not an issue as random web sites use User-Agent
> sniffing (often in wrong ways, but that is a different issue).

The entire idea of this freeze is primarily a browser concept since they want
to offer users APIs and other ways to get the info that sites currently are
trying to figure out by sniffing the user-agent. Other HTTP clients will not
be able to offer those APIs as easily and neither do we use the browsers'
crazy user-agent headers.

[1] = https://daniel.haxx.se/blog/2012/05/12/shorter-http-requests-for-curl/ 

-- 
  / daniel.haxx.se | Commercial curl support up to 24x7 is available!
                   | Private help, bug fixes, support, ports, new features
                   | https://www.wolfssl.com/contact/

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-02-24