The security model of modern browsers and browser plugins is designed to prevent malicious websites from making unsolicited cross-origin requests with attacker-controlled values in HTTP headers such as Host, User-Agent, Referer, etc.

Because of this, we generally do not consider reports of cross-site scripting or cross-site request forgery bugs to be a security risk, if the only way to exploit them is to spoof an HTTP header sent by the victim's browser to the affected web origin. Likewise, reports of Host header injection vulnerabilities will be rejected.

Conclusion

As with most other types of security attacks, it is helpful to think about and outline a specific, practical attack scenario for every bug. Make sure that the attack scenario is complete: if your bug report hinges on the presence of an additional hypothetical vulnerability, we will probably reject it.