W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2013

Re: [whatwg] HTTP Forms extension specification

From: Cameron Jones <cmhjones@gmail.com>
Date: Fri, 22 Feb 2013 16:46:04 +0000
Message-ID: <CALGrget--2AJfgYEndJt8geNT6VxzUXAiNQ8eQyQYun_Lfw2pg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: whatwg <whatwg@lists.whatwg.org>
On Fri, Feb 22, 2013 at 4:37 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, Feb 22, 2013 at 2:29 PM, Cameron Jones <cmhjones@gmail.com> wrote:
> > The HTTP headers are restricted using a copy-paste of those in XHR which
> is
> > included in the form submission process. Happy to hear any suggestions to
> > improve the structure or general authoring.
>
> You are not making the same checks as
> http://xhr.spec.whatwg.org/#the-setrequestheader%28%29-method does.
> E.g. I could inject a header value in your algorithm that is CRLF
> followed by "Referer: mahahah".
>
>
Ahh, yes i see the references....i'll fix that now.

Thanks,
cam
Received on Friday, 22 February 2013 16:46:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:20 UTC