User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:188.8.131.52) Gecko/20070515 Firefox/184.108.40.206 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:220.127.116.11) Gecko/20070515 Firefox/18.104.22.168 Reproducible: Always Steps to Reproduce: 1.Run next code in the chrome script: var x=new XMLHttpRequest(); x.open('GET','http://google.com',false); x.setRequestHeader("Referer",'http://example.com/referring_page'); x.send(""); Actual Results: Referer is not set. Expected Results: Referer should be set.
Assignee: general → nobody
QA Contact: general → xml
Many screen scraping extensions and Greasemonkey scripts need to set the Referer header to work. I don't think it makes sense to limit them, considering they can do things like cross-domain requests anyway.
Flags: blocking1.9? → blocking1.9-
This is intended and not a bug, since setting custom referer would allow CSRF attacks. See also https://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader%28%29-method
francesco.montanari, Read the bug report. This is for **PRIVILEGED** code. Not the code on a webpage.
This seems to be fixed now. I can't replicate the bug in today's nightly, neither in the scratchpad (using the browser environment) nor a simple XUL addon. The header is sent to a local server in both cases. If the issue persists for anyone still following this bug, please reopen it and provide more definitive steps to reproduce the issue.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.