- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 22 Apr 2008 08:52:51 +0200
- To: Sunava Dutta <sunavad@windows.microsoft.com>
- CC: Peter Michaux <petermichaux@gmail.com>, "public-webapi@w3.org" <public-webapi@w3.org>
Sunava Dutta wrote: >>> IMHO we need either removeRequestHeader(), getRequestHeader(), or both. > > GetRequestHeader could pose a security risk, because you could then GetRequestHeader (Cookie) and steal HTTPOnly cookies. Sure. It would need to be done correctly. That doesn't change the fact that in XHR1, control over the request headers is totally insufficient. BR, Julian
Received on Tuesday, 22 April 2008 06:53:44 UTC