Can't set referer in XMLHttpRequest (chrome)

RESOLVED WORKSFORME

Status

()

Core
XML
RESOLVED WORKSFORME
11 years ago
2 years ago

People

(Reporter: Yan, Unassigned)

Tracking

unspecified
x86
Windows XP
Points:
---
Bug Flags:
blocking1.9 -
wanted1.9 +

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4





Reproducible: Always

Steps to Reproduce:
1.Run next code in the chrome script:

var x=new XMLHttpRequest();
x.open('GET','http://google.com',false);
x.setRequestHeader("Referer",'http://example.com/referring_page');
x.send("");
Actual Results:  
Referer is not set.

Expected Results:  
Referer should be set.

Updated

11 years ago
Assignee: general → nobody
Component: JavaScript Engine → XML
QA Contact: general → xml

Comment 1

11 years ago
Many screen scraping extensions and Greasemonkey scripts need to set the Referer header to work. I don't think it makes sense to limit them, considering they can do things like cross-domain requests anyway.
Flags: blocking1.9?

Updated

11 years ago
Flags: blocking1.9? → blocking1.9-
Whiteboard: [wanted-1.9]
Flags: wanted1.9+
Whiteboard: [wanted-1.9]

Comment 2

4 years ago
Any news?

Comment 3

2 years ago
This is intended and not a bug, since setting custom referer would allow CSRF attacks. 

See also https://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader%28%29-method

Comment 4

2 years ago
francesco.montanari, Read the bug report. This is for **PRIVILEGED** code. Not the code on a webpage.
Flags: needinfo?(francesco.montanari)

Comment 5

2 years ago
This seems to be fixed now. I can't replicate the bug in today's nightly, neither in the scratchpad (using the browser environment) nor a simple XUL addon. The header is sent to a local server in both cases.

If the issue persists for anyone still following this bug, please reopen it and provide more definitive steps to reproduce the issue.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(francesco.montanari)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.