On Fri, Feb 22, 2013 at 2:29 PM, Cameron Jones <[email protected]> wrote: > The HTTP headers are restricted using a copy-paste of those in XHR which is > included in the form submission process. Happy to hear any suggestions to > improve the structure or general authoring.
You are not making the same checks as http://xhr.spec.whatwg.org/#the-setrequestheader%28%29-method does. E.g. I could inject a header value in your algorithm that is CRLF followed by "Referer: mahahah". Not really convinced by the use cases, but maybe someone else is. -- http://annevankesteren.nl/
