I was wondering why one cannot set cookie headers using setRequestHeader. Is there any specific reason or just that they are added by browser itself, so these headers are disabled? Is there any security issue?
I am working on node.js and used the
var xhr = new XMLHttpRequest();
xhr.open('GET', url, true);
xhr.withCredentials = true;
Refused to set unsafe header
I am sure you would have gone through the working draft and found
The above headers are controlled by the user agent to let it control those aspects of transport.
Firstly we need to understand, These are standards working as guidelines for interoperability of functions between different browsers. It's not mandated for the browser and hence browsers do have different level of adherence to this standard for different reasons.
Secondly, Technically speaking you can emulate a user agent , treat your program as the browser and can very well set those values as per mentioned standards.
Finally, the intent of disallowing overwriting of Headers or setting up headers for certain fields like
Cookie ethos the
secure design approach. It is to discourage or at least try to discourage HTTP Request smuggling.