search

whatwg / xhr

XMLHttpRequest Standard
https://xhr.spec.whatwg.org/
Other
314 stars 129 forks source link

XHR: how can I read request headers? #369

Closed denis-dbm-inactive closed 1 year ago

denis-dbm-inactive commented 1 year ago

Hi all

I was analyzing the XHR live standard to confirm how I can get request headers before calls send. The reason is about security to avoid XSS attacks, that is, to achieve the "best" way for storing a security (access) token (consider I don't have a backend, BFF).

Am I right? The spec of XHR don't allow access request headers, in any way*? Do you know an implementation (any browser) or known vulnerability which could lead to request headers leaking?

*Except by (re)prototyping XHR, and it has ways to protect it. Of course, at client-side there are limitations and some options to be secured.

PS: fetch allows to read the headers, just to compare the two standards too.

Thanks

annevk commented 1 year ago

Could an attacker just not make the request to their own server if they have access to the object?

That would be harder with fetch(), especially if you don't make Headers objects.

But there's also service workers to consider, Spectre, etc.

Anyway, overall this feels more like a question suitable for Stack Overflow or https://whatwg.org/chat as it doesn't directly impact this standard. So closing therefore.