- From: Denis Bittencourt Muniz <notifications@github.com>
- Date: Thu, 16 Feb 2023 10:00:53 -0800
- To: whatwg/xhr <xhr@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 16 February 2023 18:01:14 UTC
Hi all I was analyzing the [XHR live standard](https://xhr.spec.whatwg.org/) to confirm how I can get request headers before calls send. The reason is about security to avoid XSS attacks, that is, to achieve the "best" way for storing a security (access) token (consider I don't have a backend, BFF). Am I right? The spec of XHR don't allow access request headers, in any way*? Do you know an implementation (any browser) or known vulnerability which could lead to request headers leaking? *Except by (re)prototyping XHR, and it has ways to protect it. Of course, at client-side there are limitations and some options to be secured. PS: `fetch` allows to read the headers, just to compare the two standards too. Thanks -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/xhr/issues/369 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/xhr/issues/369@github.com>
Received on Thursday, 16 February 2023 18:01:14 UTC