[xhr] Blocked headers with underscore rather than hyphen (was: Re: call for reviewers: XMLHttpRequest Last Call) from Anne van Kesteren on 2009-12-16 (public-webapps@w3.org from October to December 2009)

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 16 Dec 2009 16:17:22 +0100
To: "sird@rckc.at" <sird@rckc.at>, public-webapps@w3.org
Cc: "Adam Barth" <w3c@adambarth.com>, "Thomas Roessler" <tlr@w3.org>
Message-ID: <op.u41d28s164w2qv@annevk-t60>

On Wed, 09 Dec 2009 11:33:25 +0100, sird@rckc.at <sird@rckc.at> wrote:
> http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html
> -- Eduardo

It seems it is not considered an issue for same-origin requests per that  
page and cross-origin requests are only dealt with in XMLHttpRequest Level  
2 which requires strict per-header opt-in. Have you talked with  
implementors about this?

-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Wednesday, 16 December 2009 15:18:10 UTC