XHR: how can I read request headers?
denis-dbm-inactive opened this issue · 1 comments
Hi all
I was analyzing the XHR live standard to confirm how I can get request headers before calls send. The reason is about security to avoid XSS attacks, that is, to achieve the "best" way for storing a security (access) token (consider I don't have a backend, BFF).
Am I right? The spec of XHR don't allow access request headers, in any way*? Do you know an implementation (any browser) or known vulnerability which could lead to request headers leaking?
*Except by (re)prototyping XHR, and it has ways to protect it. Of course, at client-side there are limitations and some options to be secured.
PS: fetch allows to read the headers, just to compare the two standards too.
Thanks
Could an attacker just not make the request to their own server if they have access to the object?
That would be harder with fetch(), especially if you don't make Headers objects.
But there's also service workers to consider, Spectre, etc.
Anyway, overall this feels more like a question suitable for Stack Overflow or https://whatwg.org/chat as it doesn't directly impact this standard. So closing therefore.