The implementation of Cross-Origin Resource Sharing (CORS) in WebKit, as used in Apple Safari before 4.0.4 and Google Chrome before, includes certain custom HTTP headers in the OPTIONS request during cross-origin operations with preflight, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a crafted web page.

Related Vulnerabilities

platform vulnerability
CVE-2009-2816 qt4-x11
CVE-2009-2816 kde4libs
CVE-2009-2816 webkit