Does HttpUrlConnection censor some headers, notably Origin?

Question

I'm trying to create some tests for a web services that implements CORS. So, I need to send Origin headers. When I call addRequestProperty("origin", origin), the origin header does not seem to appear at the server. I say 'seem' -- I'm got a servlet iterating over all the headers printing them out, and it does not appear. I haven't gone all the way to TCPMon or sending the request over a plain socket connection.

The javadoc for HttpUrlConnection doesn't mention any limits that I've seen, but I might have skipped a critical sentence. Is this a well-known limitation?

Answer 1

I found https://github.com/AdoptOpenJDK/openjdk-jdk8u/blob/master/jdk/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java#L189

The author, cleverly, decided to forbid Origin and other CORS-related headers without actually implementing the CORS spec. It's pretty depressing.