W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2012

Re: Security bug in XmlHttpRequest, setRequestHeader()

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 06 Jan 2012 09:49:10 +0100
To: "WebApps WG (public-webapps@w3.org)" <public-webapps@w3.org>, "Hill, Brad" <bhill@paypal-inc.com>
Message-ID: <op.v7nmr8g064w2qv@annevk-macbookpro.local>
On Fri, 06 Jan 2012 00:26:25 +0100, Hill, Brad <bhill@paypal-inc.com>  
wrote:
> As this behavior is at least partially formally documented in   
> http://tools.ietf.org/html/rfc3875#section-4.1.18 , and very widely  
> implemented, the algorithm for XHR should be updated to at least  
> consider "_", and possibly all non-alphanumeric characters, as  
> equivalent to "-" for purposes of comparison to the blacklisted header  
> set.

We do not consider this to be an issue. (If it's an issue at all, it's an  
issue with those libraries.)

http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/thread.html#msg1349


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Friday, 6 January 2012 08:49:47 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:49 GMT