Re: Security bug in XmlHttpRequest, setRequestHeader()

On Fri, 06 Jan 2012 00:26:25 +0100, Hill, Brad <>  
> As this behavior is at least partially formally documented in   
> , and very widely  
> implemented, the algorithm for XHR should be updated to at least  
> consider "_", and possibly all non-alphanumeric characters, as  
> equivalent to "-" for purposes of comparison to the blacklisted header  
> set.

We do not consider this to be an issue. (If it's an issue at all, it's an  
issue with those libraries.)

Anne van Kesteren

Received on Friday, 6 January 2012 08:49:47 UTC