- From: Cure53 <notifications@github.com>
- Date: Tue, 07 Apr 2015 04:17:06 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
Received on Tuesday, 7 April 2015 11:17:28 UTC
One note about my context maybe: Right now, for penetration tests, we use malformed UA strings to aim for persistent XSS or Intranet XSS. Giving an attacker control over the UA string via `fetch()` opens the door to abuse that in a CSRF scenario and beyondd. Not sure if that is a good idea. Thus my question, if you consider that to be in scope or not. --- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/37#issuecomment-90509499
Received on Tuesday, 7 April 2015 11:17:28 UTC