Hmm well, the only difference is that this attacks would now work same-site.. I mean..
XHR is restricting that user-agent, and other headers shouldn't be sent, supposedly to protect the JS code to send wrong headers to the server, but if the restriction can be fooled using a _, isn't the restriction useless now? It's not an issue that affects all server, but it does affect a very famous one.. Anyway, it's not a very serious issue.. I just wanted to know if it was going to be considered. -- Eduardo http://www.sirdarckcat.net/ Sent from Hangzhou, Zhejiang, China On Wed, Dec 16, 2009 at 11:17 PM, Anne van Kesteren <ann...@opera.com>wrote: > On Wed, 09 Dec 2009 11:33:25 +0100, s...@rckc.at <s...@rckc.at> wrote: > >> http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html >> -- Eduardo >> > > It seems it is not considered an issue for same-origin requests per that > page and cross-origin requests are only dealt with in XMLHttpRequest Level 2 > which requires strict per-header opt-in. Have you talked with implementors > about this? > > > -- > Anne van Kesteren > http://annevankesteren.nl/ >