> That's not a reason not to consider it a threat vector when implementing, but no more than when implementing any header (that interacts with another)

But the header wouldn't have interacted with another header if we hadn't decided to do this X-prefix nonsense!