CVE-2009-2816

Name of the Vulnerable Software and Affected Versions Apple Safari versions prior to 4.0.4 Google Chrome versions prior to 3.0.195.33

Description The implementation of Cross-Origin Resource Sharing (CORS) in WebKit includes certain custom HTTP headers in the OPTIONS request during cross-origin operations with preflight. This makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a crafted web page. WebKit sends a preflight request to the server for access to the resource and includes custom HTTP headers specified by the requesting page in the preflight request.

Recommendations For Apple Safari versions prior to 4.0.4, update to version 4.0.4 or later to resolve the issue. For Google Chrome versions prior to 3.0.195.33, update to version 3.0.195.33 or later to resolve the issue. As a temporary workaround, consider restricting access to custom HTTP headers in preflight requests until a patch is available.