I was wondering why one cannot set cookie headers using setRequestHeader. Is there any specific reason or just that they are added by browser itself, so these headers are disabled? Is there any security issue?
--Edit
I am working on node.js and used the xmlhttprequest
module. Following is the test code:
var xhr = new XMLHttpRequest();
xhr.open('GET', url, true);
xhr.withCredentials = true;
xhr.setRequestHeader('Cookie', "key=value");
xhr.send(null);
Here I need to set cookie-header as node.js' xmlhttprequest
do not explicitly adds cookie-header(as browsers do). When trying to do so, xmlhttprequest
gives error "Refused to set unsafe header
".
Though I have found a patch and successfully able to send the cookie-header. But was wondering why it was disabled to set cookie-header? Where-ever I read, found that it is required for data-integrity and security, but what security can be breached in this case, is mentioned no where. I want to evaluate if, this data-integrity problem is valid for node.js application as well if I go with my patch.