- From: Cameron Jones <cmhjones@gmail.com>
- Date: Fri, 22 Feb 2013 16:46:04 +0000
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: whatwg <whatwg@lists.whatwg.org>
On Fri, Feb 22, 2013 at 4:37 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Fri, Feb 22, 2013 at 2:29 PM, Cameron Jones <cmhjones@gmail.com> wrote: > > The HTTP headers are restricted using a copy-paste of those in XHR which > is > > included in the form submission process. Happy to hear any suggestions to > > improve the structure or general authoring. > > You are not making the same checks as > http://xhr.spec.whatwg.org/#the-setrequestheader%28%29-method does. > E.g. I could inject a header value in your algorithm that is CRLF > followed by "Referer: mahahah". > > Ahh, yes i see the references....i'll fix that now. Thanks, cam
Received on Friday, 22 February 2013 16:46:29 UTC