|
|
|
|
|
|
by Stealth-
4548 days ago
|
|
|
I imagine it assumes a header like X-Requested-By has not been manipulated. You can safely assume that the referrer, or other headers, have not been manipulated. There is no way for malicious Javascript running in the users browser to edit headers. Of course, anyone can code their own browser to lie about headers. It doesn't make much sense to specifically open yourself to vulnerabilities though. |
|
|
There's downside, though - you can't inspect JSONs by simply opening them in a new tab.