Tony Stark
Reputation: 3463
header restrictions with XHR
does XMLHTTPRequest allow one to set "any" headers? Because it seems to be limiting me from setting the host header.
Upvotes: 5
Views: 1507
Answers (1)
Samuel Zhang
Reputation: 1280
No, as it will cause security issues. Please refer to W3C XMLHttpRequest Level 2 spec, the setRequestHeader() method should terminate if header is a case-insensitive match for one of the following headers:
- Accept-Charset
- Accept-Encoding
- Access-Control-Request-Headers
- Access-Control-Request-Method
- Connection
- Content-Length
- Cookie
- Cookie2
- Content-Transfer-Encoding
- Date
- Expect
- Host
- Keep-Alive
- Origin
- Referer
- TE
- Trailer
- Transfer-Encoding
- Upgrade
- User-Agent
- Via
Update: Konstantinos Filios is right that latest list can be found in WHATWG XMLHttprequest spec.
Upvotes: 9
Related Questions
- how to get headers from xhr?
- Adjust XHR Header
- How to pass headers for an XMLHttpRequest request
- xhr.setRequestHeader() merging my headers
- xhr request Control Origin
- How to set getAllResponseHeaders() on xhr object
- XHR request only headers
- Javascript request over XHR
- Restrictions of XMLHttpRequest's getResponseHeader()?
- xmlHttpRequest and cross-site restriction