In this short note I'll describe a bug I found in Chrome recently. It allowed to set arbitrary headers in cross-domain requests. @insertScript recently found a very similar bug in Adobe Reader plugin but it turns out you can still expect those bugs in browsers themselves. Why is it serious? Because you can use it to inject any request headers, including ones on which security decisions are based,