Re: XHR setting headers

Mon, 21 Apr 2008 23:54:26 -0700 


Sunava Dutta wrote:

IMHO we need either removeRequestHeader(), getRequestHeader(), or both.


GetRequestHeader could pose a security risk, because you could then 
GetRequestHeader (Cookie) and steal HTTPOnly cookies.



Sure. It would need to be done correctly. That doesn't change the fact 
that in XHR1, control over the request headers is totally insufficient.


BR, Julian























					Reply via email to