W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

[xhr] Blocked headers with underscore rather than hyphen (was: Re: call for reviewers: XMLHttpRequest Last Call)

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 16 Dec 2009 16:17:22 +0100
To: "sird@rckc.at" <sird@rckc.at>, public-webapps@w3.org
Cc: "Adam Barth" <w3c@adambarth.com>, "Thomas Roessler" <tlr@w3.org>
Message-ID: <op.u41d28s164w2qv@annevk-t60>
On Wed, 09 Dec 2009 11:33:25 +0100, sird@rckc.at <sird@rckc.at> wrote:
> http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html
> -- Eduardo

It seems it is not considered an issue for same-origin requests per that  
page and cross-origin requests are only dealt with in XMLHttpRequest Level  
2 which requires strict per-header opt-in. Have you talked with  
implementors about this?

Anne van Kesteren
Received on Wednesday, 16 December 2009 15:18:10 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:21 UTC