- From: <sird@rckc.at>
- Date: Wed, 16 Dec 2009 23:47:25 +0800
- To: Anne van Kesteren <annevk@opera.com>
- Cc: public-webapps@w3.org, Adam Barth <w3c@adambarth.com>, Thomas Roessler <tlr@w3.org>
Received on Wednesday, 16 December 2009 15:48:28 UTC
Hmm well, the only difference is that this attacks would now work same-site.. I mean.. XHR is restricting that user-agent, and other headers shouldn't be sent, supposedly to protect the JS code to send wrong headers to the server, but if the restriction can be fooled using a _, isn't the restriction useless now? It's not an issue that affects all server, but it does affect a very famous one.. Anyway, it's not a very serious issue.. I just wanted to know if it was going to be considered. -- Eduardo http://www.sirdarckcat.net/ Sent from Hangzhou, Zhejiang, China On Wed, Dec 16, 2009 at 11:17 PM, Anne van Kesteren <annevk@opera.com>wrote: > On Wed, 09 Dec 2009 11:33:25 +0100, sird@rckc.at <sird@rckc.at> wrote: > >> http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html >> -- Eduardo >> > > It seems it is not considered an issue for same-origin requests per that > page and cross-origin requests are only dealt with in XMLHttpRequest Level 2 > which requires strict per-header opt-in. Have you talked with implementors > about this? > > > -- > Anne van Kesteren > http://annevankesteren.nl/ >
Received on Wednesday, 16 December 2009 15:48:28 UTC