Refused to set unsafe header Connection/Content-length

Question

I'm working on a website and I have a problem right here. On the page I'm working, the user puts an ip address and the ports he wants to be searched. This is being made with ajax (user side) and php (server side). Ajax sends the ip and port (one by one) to the php file, and he returns the result of the port. The goal is that user sees what's the port is being tested (in a div element) at the moment, and here is where the problem is. He runs/works well, he tests all the ports the user wants to, but during the test period he shows no port, just shows the final port (after all previous ports have been tested) and the result of the ports (if some port had a result) which appears in a distinct div element. This just works perfectly in Firefox, in other browsers happens what I just explained. The Google Chrome console says: Refused to set unsafe header "Content-length" and Refused to set unsafe header "Connection". I've been searching about this problem for days and I found so many things and I tried them, but none of them solved the problem.

Here is my code.

jquery.js

function HttpRequest(endereco, portainicio)
{      
    var xmlhttp;
    var params = "endereco="+endereco+"&"+"porta="+portainicio;

    if (window.XMLHttpRequest) // IE7+, Firefox, Chrome, Opera, Safari
    {
        xmlhttp = new XMLHttpRequest();
    }

    else // IE6, IE5
    {
        xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
    }

    xmlhttp.open("POST", "/firewall/ajax", false);

    //alert(params);

    xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    xmlhttp.setRequestHeader("Content-length", params.length);
    xmlhttp.setRequestHeader("Connection", "close");

    xmlhttp.send(params);
    return xmlhttp.responseText;
}

function ajaxfirewall()
{
    (...)

    var resposta;

    $("p.ip").append("<span class='end'> "+endereco+"</span>");       

    for (portainicio; portainicio <= portafinal; portainicio++)
    {   
        resposta = HttpRequest(endereco, portainicio);              
        $("p.porta").append(" <span class='tporta'>"+ resposta+"</span><br>");
    }

    return false;
}

Another thing it's really strange. Do you see those alert(params); which are commented in the HttpRequest function? If I leave it uncommented it displays the port which is being tested, but it shows the alert and I don't want that.

Answer 1

Without the HTML your jquery.js is supposed to work on this involves some guesswork (maybe you could post the relevant excerpt (Hint, hint)). I would consider it possible that $("p.porta") cannot be found or that the appended HTML reacts in an unexpected way. You should try to just print your results to console using e.g. console.log (that is you are using Firebug or some such) in order to see what you get at what time. Maybe you will find something on the client side too.

Update Judging from this question and its accepted answer the Chrome behavior is actually what you should expect. The standard for XMLHttpRequests prescribes that these two headers should not be set by the client in order to avoid request smuggling attacks. You just should not set them (even if your PHP source tells you to).