5

I'm trying to build an json/javascript interface to check emails on haveibeenpwned.

However, when trying to set the header, I get an error (in developer tools):

jquery-1.10.2.js:8699 Refused to set unsafe header "User-Agent"

This is my code:

 $(document).ready(function() {
    $.ajax({
      url: 'https://haveibeenpwned.com/api/v2/breachedaccount/mark@fixitks.co.uk',
      type: 'GET',
      dataType: 'json',
      success: function() { alert('hello!'); },
      error: function() { alert('boo!'); }
      ,
      headers: {
  'User-Agent': 'uaheader'
}
    });
  });

I can run similar code from C# in the browser without any issues, but not in Javascript.

Is there anyway around this.

Thanks, Mark

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
Mark Tait
  • 545
  • 3
  • 12
  • 22
  • 2
    the browser will restrict you from setting that on an ajax call. – Daniel A. White Feb 22 '19 at 13:33
  • thanks - can I do it from just Javascript in that case, if I don't use ajax - or would that be restricted too? – Mark Tait Feb 22 '19 at 13:34
  • 2
    ajax is javascript - jquery is just wrapping that. theres nothing you can do directly from the browser – Daniel A. White Feb 22 '19 at 13:35
  • ... or rather directly from JS. You can override the userAgent string in Chrome's dev tools, in FF you've to set it in about: configurations. – Teemu Feb 22 '19 at 13:36
  • "jquery-1.10.2.js" — **Danger** jQuery 1.x is no longer supported and has known security problems. Upgrade to a supported version of jQuery. – Quentin Feb 22 '19 at 14:35
  • 1
    Possible duplicate of [WebKit "Refused to set unsafe header 'content-length'"](https://stackoverflow.com/questions/2623963/webkit-refused-to-set-unsafe-header-content-length) – Heretic Monkey Feb 22 '19 at 14:43

1 Answers1

2

There are number of forbidden headers for setRequestHeader method. You can check here

This doc also says,

Note: The User-Agent header is no longer forbidden, as per spec — see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch Headers object, or via XHR setRequestHeader().

So if you run it from Firefox 43+, it will not show Refused to set unsafe header "User-Agent"

You will not face this problem if you make the request from your server

Vikas
  • 6,868
  • 4
  • 27
  • 41