63

It seems that I am unable to change most request headers from JavaScript when making an AJAX call using XMLHttpRequest. Note that when request.setRequestHeader has to be called after request.open() in Gecko browsers (see http://ajaxpatterns.org/Talk:XMLHttpRequest_Call). When I set the Referer, it doesn't get set (I looked at the request headers sent using Firebug and Tamper Data). When I set User-Agent, it messed up the AJAX call completely. Setting Accept and Content-Type does work, however. Are we prevented from setting Referer and User-Agent in Firefox 3?

var request = new XMLHttpRequest();
var path="http://www.yahoo.com";
request.onreadystatechange=state_change;

request.open("GET", path, true);
request.setRequestHeader("Referer", "http://www.google.com");
//request.setRequestHeader("User-Agent", "Mozilla/5.0");
request.setRequestHeader("Accept","text/plain");
request.setRequestHeader("Content-Type","text/plain");

request.send(null);
    function state_change()
{
if (request.readyState==4)
  {// 4 = "loaded"
  if (request.status==200)
    {// 200 = OK
    // ...our code here...
    alert('ok');
    }
  else
    {
    alert("Problem retrieving XML data");
    }
  }
}
informatik01
  • 16,038
  • 10
  • 74
  • 104
user121196
  • 30,032
  • 57
  • 148
  • 198
  • 1
    offhand not sure (no tools to test right now either), but it seems likely since both of these headers shouldn't need to be set and in fact setting them is intrinsically suspicious – annakata Aug 12 '09 at 20:55

3 Answers3

74

W3C Spec on setrequestheader.

The brief points:

If the request header had already been set, then the new value MUST be concatenated to the existing value using a U+002C COMMA followed by a U+0020 SPACE for separation.

UAs MAY give the User-Agent header an initial value, but MUST allow authors to append values to it.

However - After searching through the framework XHR in jQuery they don't allow you to change the User-Agent or Referer headers. The closest thing:

// Set header so the called script knows that it's an XMLHttpRequest
xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");

I'm leaning towards the opinion that what you want to do is being denied by a security policy in FF - if you want to pass some custom Referer type header you could always do:

xhr.setRequestHeader('X-Alt-Referer', 'http://www.google.com');
extempl
  • 2,987
  • 1
  • 26
  • 38
gnarf
  • 105,192
  • 25
  • 127
  • 161
4

@gnarf answer is right . wanted to add more information .

Mozilla Bug Reference : https://bugzilla.mozilla.org/show_bug.cgi?id=627942

Terminate these steps if header is a case-insensitive match for one of the following headers:

Accept-Charset
Accept-Encoding
Access-Control-Request-Headers
Access-Control-Request-Method
Connection
Content-Length
Cookie
Cookie2
Date
DNT
Expect
Host
Keep-Alive
Origin
Referer
TE
Trailer
Transfer-Encoding
Upgrade
User-Agent
Via

Source : https://dvcs.w3.org/hg/xhr/raw-file/tip/Overview.html#dom-xmlhttprequest-setrequestheader

aked
  • 5,625
  • 2
  • 28
  • 33
  • Yeah it's weird. The old draft gnarf refers to says that UAs MUST allow authors to append stuff to the User-Agent header. But the current spec says that UAs MUST ignore any modification attempts to the User-Agent header. – Robert Aug 28 '14 at 18:33
1

For people looking this up now:

It seems that now setting the User-Agent header is allowed since Firefox 43. See https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name for the current list of forbidden headers.

Redmer K.
  • 21
  • 4
  • If by "this header" you meant `Referer` here, then no, you cannot modify it. It is forbidden. The official forbidden request headers list is found at . When you provided this answer MDN may have stated incorrect information. IIRC this header used to allow appending to it--but not outright setting of it--so it hasn't always been on the forbidden request headers list. However, its modification was still severely restricted. – cmt Jan 07 '19 at 13:20
  • @cmt You are right! Thank you, I improved my answer to specify that `User-Agent` now _can_ be changed. – Redmer K. Jan 08 '19 at 14:05