W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [xhr] Blocked headers with underscore rather than hyphen (was: Re: call for reviewers: XMLHttpRequest Last Call)

From: <sird@rckc.at>
Date: Wed, 16 Dec 2009 23:47:25 +0800
Message-ID: <8ba534860912160747w8bea659k9d27969428f44b22@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: public-webapps@w3.org, Adam Barth <w3c@adambarth.com>, Thomas Roessler <tlr@w3.org>
Hmm well, the only difference is that this attacks would now work
same-site.. I mean..

XHR is restricting that user-agent, and other headers shouldn't be sent,
supposedly to protect the JS code to send wrong headers to the server, but
if the restriction can be fooled using a _, isn't the restriction useless
now?

It's not an issue that affects all server, but it does affect a very famous
one..

Anyway, it's not a very serious issue.. I just wanted to know if it was
going to be considered.
-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, Zhejiang, China

On Wed, Dec 16, 2009 at 11:17 PM, Anne van Kesteren <annevk@opera.com>wrote:

> On Wed, 09 Dec 2009 11:33:25 +0100, sird@rckc.at <sird@rckc.at> wrote:
>
>> http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html
>> -- Eduardo
>>
>
> It seems it is not considered an issue for same-origin requests per that
> page and cross-origin requests are only dealt with in XMLHttpRequest Level 2
> which requires strict per-header opt-in. Have you talked with implementors
> about this?
>
>
> --
> Anne van Kesteren
> http://annevankesteren.nl/
>
Received on Wednesday, 16 December 2009 15:48:28 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT