OPTIONS Request in WebKit in Apple Safari Cross-Site Request Forgery (CSRF) Vulnerability.
The implementation of Cross-Origin Resource Sharing (CORS) in WebKit as used in Apple Safari before 4.0.4 and Google Chrome before 220.127.116.11 includes certain custom HTTP headers in the OPTIONS request during cross-origin operations with preflight which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a crafted web page.
- Microsoft Windows XP
- Microsoft Windows Server 2003
- Microsoft Windows 7
- Microsoft Windows Server 2008
- Microsoft Windows Vista
- Apple Safari