I am trying to implement simple xhr abstraction, and am getting this warning when trying to set the headers for a POST. I think it might have something to do with setting t
it is also ignoring my setRequestHeader calls and generating its own
Yes, the standard says it must:
For security reasons, these steps should be terminated if header is [...]
- Connection
- Content-Length
Messing around with those could expose various request smuggling attacks, so the browser always uses its own values. There's no need or reason to try to set the request length, as the browser can do that accurately from the length of data you pass to send()
.