Re: Security bug in XmlHttpRequest, setRequestHeader()

On 2012-01-06 09:49, Anne van Kesteren wrote:
> On Fri, 06 Jan 2012 00:26:25 +0100, Hill, Brad <bhill@paypal-inc.com>
> wrote:
>> As this behavior is at least partially formally documented in
>> http://tools.ietf.org/html/rfc3875#section-4.1.18 , and very widely
>> implemented, the algorithm for XHR should be updated to at least
>> consider "_", and possibly all non-alphanumeric characters, as
>> equivalent to "-" for purposes of comparison to the blacklisted header
>> set.
>
> We do not consider this to be an issue. (If it's an issue at all, it's
> an issue with those libraries.)
>
> http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/thread.html#msg1349

See also the thread starting 
<http://lists.w3.org/Archives/Public/ietf-http-wg/2011OctDec/0317.html>.

If people are concerned by this, I'd recommend submitting an erratum for 
RFC 3050.

Best regards, Julian

Received on Friday, 6 January 2012 09:09:26 UTC