W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2012

Re: Security bug in XmlHttpRequest, setRequestHeader()

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 06 Jan 2012 10:01:53 +0100
Message-ID: <4F06B881.2060408@gmx.de>
To: Anne van Kesteren <annevk@opera.com>
CC: "WebApps WG (public-webapps@w3.org)" <public-webapps@w3.org>, "Hill, Brad" <bhill@paypal-inc.com>
On 2012-01-06 09:49, Anne van Kesteren wrote:
> On Fri, 06 Jan 2012 00:26:25 +0100, Hill, Brad <bhill@paypal-inc.com>
> wrote:
>> As this behavior is at least partially formally documented in
>> http://tools.ietf.org/html/rfc3875#section-4.1.18 , and very widely
>> implemented, the algorithm for XHR should be updated to at least
>> consider "_", and possibly all non-alphanumeric characters, as
>> equivalent to "-" for purposes of comparison to the blacklisted header
>> set.
>
> We do not consider this to be an issue. (If it's an issue at all, it's
> an issue with those libraries.)
>
> http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/thread.html#msg1349

See also the thread starting 
<http://lists.w3.org/Archives/Public/ietf-http-wg/2011OctDec/0317.html>.

If people are concerned by this, I'd recommend submitting an erratum for 
RFC 3050.

Best regards, Julian
Received on Friday, 6 January 2012 09:09:26 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:49 GMT