W3C home > Mailing lists > Public > public-webapi@w3.org > April 2008

Re: XHR setting headers

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 22 Apr 2008 08:52:51 +0200
Message-ID: <480D8B43.6050301@gmx.de>
To: Sunava Dutta <sunavad@windows.microsoft.com>
CC: Peter Michaux <petermichaux@gmail.com>, "public-webapi@w3.org" <public-webapi@w3.org>

Sunava Dutta wrote:
>>> IMHO we need either removeRequestHeader(), getRequestHeader(), or both.
> 
> GetRequestHeader could pose a security risk, because you could then GetRequestHeader (Cookie) and steal HTTPOnly cookies.

Sure. It would need to be done correctly. That doesn't change the fact 
that in XHR1, control over the request headers is totally insufficient.

BR, Julian
Received on Tuesday, 22 April 2008 06:53:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 22 April 2008 06:53:48 GMT