110

I have the following custom ajax function that posts data back to a PHP file. Everytime the post of data happens I get the following two errors :

Refused to set unsafe header "Content-length"
Refused to set unsafe header "Connection"

Code : 

function passposturl(url1, params, obj)
{
    //url1 = url1+"&sid="+Math.random();
    xmlHttp = get_xmlhttp_obj();
    xmlHttp.loadflag = obj;
    xmlHttp.open("POST", url1, true);
    //alert(url1);
    //alert(params);
    //alert(obj);
    //alert(params.length);
    xmlHttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    xmlHttp.setRequestHeader("Content-length", params.length);
    xmlHttp.setRequestHeader("Connection", "close");
    xmlHttp.onreadystatechange = function ()
    {
        stateChanged(xmlHttp);
    };
    xmlHttp.send(params);
 }

What am I doing wrong?

sniper
  • 2,905
  • 6
  • 21
  • 27
  • 2
    See: http://stackoverflow.com/questions/2623963/webkit-refused-to-set-unsafe-header-content-length – Joe Aug 26 '11 at 21:03
  • Hey Joey. I did go through that before I posted it here. I still am not getting it. All I have to do is comment the setRequestHeader lines? – sniper Aug 26 '11 at 21:15

2 Answers2

180

Remove these two lines:

xmlHttp.setRequestHeader("Content-length", params.length);
xmlHttp.setRequestHeader("Connection", "close");

XMLHttpRequest isn't allowed to set these headers, they are being set automatically by the browser. The reason is that by manipulating these headers you might be able to trick the server into accepting a second request through the same connection, one that wouldn't go through the usual security checks - that would be a security vulnerability in the browser.

Wladimir Palant
  • 56,865
  • 12
  • 98
  • 126
  • 5
    What "vulnerability" does `Connection: close` cause? If you know a request will take a long time, it *should* be possible to request that it not tie up the persistent connection. Browsers don't support request pipelining either, so if a long running request comes before a normal request, then it will block the 2nd request for the full keepalive time. If the long running request could use "Connection: close" then it would be possible to request that it not tie up the persistent connection and cause (for example) an unnecessary 5 second delay (where 5 seconds is the keep-alive time). – doug65536 Dec 15 '13 at 06:19
  • 3
    @doug65536: Browsers don't validate header values, they simply disallow setting headers that you shouldn't mess with. – Wladimir Palant Dec 16 '13 at 06:41
  • Hi Wladimir, How i pass my parameter if those 2 lines removed ? – questionasker Jul 15 '17 at 03:48
  • @anunixercoder: You don't. These two headers are set automatically by the browser and cannot be changed. – Wladimir Palant Jul 15 '17 at 09:23
  • Re: "it should be possible to request that it not tie up the persistent connection." -- that's not what |Connection: close| does. – EricLaw May 09 '19 at 00:55
2

Section 4.6.2 of the W3C XMLHttpRequest Level 1 spec lists headers that "are controlled by the user agent" and not allowed to be set with the setRequestHeader() method. Both Connection and Content-length are in that list.

Accept-Charset
Accept-Encoding
Access-Control-Request-Headers
Access-Control-Request-Method
Connection
Content-Length
Cookie
Cookie2
Date
DNT
Expect
Host
Keep-Alive
Origin
Referer
TE
Trailer
Transfer-Encoding
Upgrade
User-Agent
Via
superboy1984
  • 21
  • 2