Re: Security bug in XmlHttpRequest, setRequestHeader()

On Fri, 06 Jan 2012 00:26:25 +0100, Hill, Brad <bhill@paypal-inc.com>  
wrote:
> As this behavior is at least partially formally documented in   
> http://tools.ietf.org/html/rfc3875#section-4.1.18 , and very widely  
> implemented, the algorithm for XHR should be updated to at least  
> consider "_", and possibly all non-alphanumeric characters, as  
> equivalent to "-" for purposes of comparison to the blacklisted header  
> set.

We do not consider this to be an issue. (If it's an issue at all, it's an  
issue with those libraries.)

http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/thread.html#msg1349


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Friday, 6 January 2012 08:49:47 UTC