To be more precise: the warning you saw was just a security measure of the browser because the former Ajax library tried to set a header that cannot be manually set. This was useless and not harmful in any way, and is now removed.
The attack you refer to is simply the reason why modern browsers refuse to let the Ajax callers set these headers, and this is about a vulnerability of Proxies and Web Gateway, and is not a concern for OpenERP. ** Visibility changed to: Public ** This bug is no longer flagged as a security vulnerability ** Changed in: openobject-client-web Importance: Critical => Low -- You received this bug notification because you are a member of C2C OERPScenario, which is subscribed to the OpenERP Project Group. https://bugs.launchpad.net/bugs/618674 Title: [5.0] HTTP Request Smuggling possible in 5.0 Status in OpenObject Web Client: Fix Released Bug description: Hi I found an issue when i configure the web client with reverse proxy I use Chromuim (Chrome web browser) and i activate the javascript console, after login, i see the menu and in my console i see: - Refused to set unsafe header "Connection" - Refused to set unsafe header "Content-length" After some search on the web, i found this article http://www.owasp.org/index.php/HTTP_Request_Smuggling and explain how to exploi this issue with embeded a second http request in the first one Regards, _______________________________________________ Mailing list: https://launchpad.net/~c2c-oerpscenario Post to : [email protected] Unsubscribe : https://launchpad.net/~c2c-oerpscenario More help : https://help.launchpad.net/ListHelp
