Skip to main content

Request Header Originated With
draft-request-header-originated-with-00

Document Type Expired Internet-Draft (individual)
Expired & archived
Author Noman Riffat
Last updated 2019-06-23 (Latest revision 2018-12-20)
RFC stream (None)
Intended RFC status (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:

Abstract

This document proposes a new Request Header that must be initiated every time a user-agent sends XMLHttpRequest. The aim of this header is to limit the possibilities of XSS to RCE and preventing Javascript from stealing CSRF tokens on other URLs of same domain. This will allow developers to block request if it wasn't supposed to be sent via XMLHttpRequest.

Authors

Noman Riffat

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)