On Sun, Oct 7, 2012 at 4:53 PM, Thiago Macieira <thiago.macie...@intel.com> wrote: > On domingo, 7 de outubro de 2012 21.23.53, mikko.saa...@nokia.com wrote: >> xhr.setRequestHeader("Origin","http://www.google.fi\nReferer:http://www.goog >> le.fi/whatever<http://www.google.fi/nReferer:%20http:/www.google.fi/whatever >> >"); >> >> and this results on the HTTP ===> >> >> ORIGIN: http://www.google.fi >> Referer: http://www.google.fi/whatever >
Definitely looks like a security risk, thank you for reporting it. > > If you find that it's a security issue, contact us at secur...@qt-project.org > so we can deal with it. > Can we get a Security mailing list that uses the email address provided above so as to keep the process more transparent? Qt's response time to the CRIME vulnerability is/was pathetic (I am partially to blame for that -- didn't report it thinking it would be fixed upstream in SSL itself). Or perhaps two security related lists: Security-discussion (for a thread like this) and Security-announce (for confirmed vulns, perhaps read-only to the public)? d3fault _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development