XSS or XSRF that requires header injection

The security model of modern browsers and browser plugins is designed to prevent malicious websites from making unsolicited cross-origin requests with attacker-controlled values in HTTP headers such as Host, User-Agent, Referer, etc.

Because of this, we generally do not consider the reports of cross-site scripting or cross-site request forgery bugs to be a security risk if the only way to exploit them is to spoof a HTTP header sent by the victim's browser to the affected web origin. Likewise, reports of Host header injection vulnerability will be rejected. 

As with most other types of security attacks, it is helpful to think about and outline a specific, practical and attack scenario for every bug. Make sure that the attack scenario is complete: if your bug report hinges on the presence of an additional hypothetical vulnerability, it will probably get rejected on our end :-)