Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Which HTTP headers may JavaScript set?

Tags:

http-headers

javascript

http

xmlhttprequest

Does the W3C specify which HTTP headers an XMLHttpRequest may set? If so, have they published a document justifying these requirements with security reasons?

Is it up to the browser to restrict HTTP headers at its own discretion? If so, is there a document or collection of documents online that lists the quirks of different XHR implementations or is it necessary to find that information in the documentation for each implementation?

like image 653
Jordan Avatar asked Aug 09 '12 02:08

Jordan

1 Answers

W3C has this spec about headers allowed by setRequestHeader

Terminate these steps if header is a case-insensitive match for one of the following headers:

  • Accept-Charset
  • Accept-Encoding
  • Access-Control-Request-Headers
  • Access-Control-Request-Method
  • Connection
  • Content-Length
  • Cookie
  • Cookie2
  • Content-Transfer-Encoding
  • Date
  • Expect
  • Host
  • Keep-Alive
  • Origin
  • Referer
  • TE
  • Trailer
  • Transfer-Encoding
  • Upgrade
  • User-Agent
  • Via

… or if the start of header is a case-insensitive match for Proxy- or Sec- (including when header is just Proxy- or Sec-).

The above headers are controlled by the user agent to let it control those aspects of transport. This guarantees data integrity to some extent. Header names starting with Sec- are not allowed to be set to allow new headers to be minted that are guaranteed not to come from XMLHttpRequest.

Also you may consider:

If header is not in the author-request-headers list append header with its associated value to the list and terminate these steps.

About browsers implementation, I've found this nice test: https://dvcs.w3.org/hg/webapps/diff/5814514eeba4/tests/XMLHttpRequest/setrequestheader-header-forbidden.htm that you cant use to find current differences.

For example, IE has this definition of security on headers:

IE: Refer to RFC2616, Section 14: Header Field Definitions for a general list of standard headers. The server is ultimately responsible for honoring the headers of the request. By far the most common request header is Content-Type, which is required by some XML Web services.

like image 142
Martin Borthiry Avatar answered Nov 13 '22 05:11

Martin Borthiry
Sign in to Comment

Related questions

Vuejs 2: how to detect img.complete property
value of a text box based on the value of other text box
Node and Express: How to implement basic webhook server
web3 websocket connection prevents node process from exiting
Svelte.js - How to rerender child components with new props?
Cannot set cookie in iframe using the Storage Access API on Safari
How to use translation __() with hyperlinks
AJAXify site
JavaScript Event Listeners vs Event Handlers
Javascript MVC framework [closed]
Stop suppressing JavaScript errors
detect cursor type
Convert a signed decimal to hex encoded with two's complement
*Really* deleting cookies with javascript
Google analytics illegal cookie breaks Python backend
Is it possible to implement a js version of Haskell's unzip in a purely functional fashion?
Unsafe JavaScript attempt to access frame with google maps
HTML5 Speech recognition --- is there a way to set what the user is expected to say dynamically? (Using custom Grammars)
angularjs inject module after app initialization
How do you detect if an html element can append child nodes?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!