Sunday, June 10, 2012

Refused to set unsafe header

*** If interested in CORS, try this.

This is an annoying little error that I've seen some people mention and even ran into with JavaScript. Moreover, it appears only in Webkit based browsers. So what's the problem? Basically a browser like Google Chrome will not change certain http headers in an XMLHttpRequest using setRequestHeader(). This is not a problem in Firefox or Opera from my testing so far. According to W3, it is actually the behavior they have as "standard" in their working draft. Headers they don't want you to overwrite are
"
  • Accept-Charset
  • Accept-Encoding
  • Access-Control-Request-Headers
  • Access-Control-Request-Method
  • Connection
  • Content-Length
  • Cookie
  • Cookie2
  • Date
  • DNT
  • Expect
  • Host
  • Keep-Alive
  • Origin
  • Referer
  • TE
  • Trailer
  • Transfer-Encoding
  • Upgrade
  • User-Agent
  • Via
Or if the start of header is a case-insensitive match for Proxy- or Sec- (including when header is just Proxy- or Sec-)."[1]
Now as to where this could be a problem, for me at least, is when I am trying to spoof some headers and want to do so in a browser as apposed to writing a script or getting an addon to do so for me. However, there is a security risk it could open up called HTTP Request Smuggling. As to how one would pull it off, I think an XSS vulnerability would need to be there as well for this in JavaScript to do anything. Bottom line for the security of it on the design end, make sure you check your sources before you use things like external scripts. As for user-end security, just be careful what sites you go to and use some common sense when you can.

Now as for ways around this, you would need either an addon to modify this for you or use related command line arguments. For example, to change the User-Agent header, you launch Chrome from your terminal with the option --user-agent="Some new UA string". As for an addon to do this, I do not know of any or if it is even possible, but if I find something I will update that here.

*[1] - http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method

4 comments:

  1. How do you get Google Chrome to make a CORS request with xmlHttpRequest object then?

    ReplyDelete
    Replies
    1. I poked around on Google to see if I could find some help, and I found a post saying Chrome has a limited "same origin policy" for versions previous to 13, but 13 and up allow CORS. Mozilla suggests checking for:
      if("withCredentials" in request)
      To determine if the browser supports CORS, and the rest seems to be handled in a normal, simple request.

      So I think Google Chrome 13 and up set the necessary headers themselves if they are within these protected headers, probably why they are protected as well, some security measure of some sort.

      My resources I checked were:
      http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/
      http://code.google.com/chrome/extensions/xhr.html

      Hope that helps in some way and I'm not just giving you stuff you already know. If you find anything else about this, let me know.

      Delete
  2. Anonymous6/3/14 01:58

    Hello,

    Is there a workaround for this issue ? Any updates on how to achieve setting headers ??? Eagerly waiting....

    I want to be able to set "Connection" and "Kepp-alive" headers.

    Thank you

    ReplyDelete
    Replies
    1. A solution might be found in either my post about CORS in Chrome

      http://news.anarchy46.net/2013/02/chrome-cors.html

      Or a more specific answer to your case might be found by looking into HTTP access-control headers.

      If that doesn't help, let me know and I'll see if I can dig up any other information that might help.

      Delete

Tag Cloud

.NET (2) A+ (5) ad ds (1) addon (4) Android (4) anonymous functions (1) application (9) arduino (1) artificial intelligence (1) backup (1) bash (6) camera (2) certifications (3) comptia (5) css (2) customize (11) encryption (3) error (13) exploit (5) ftp (1) funny (4) gadget (4) games (3) GUI (5) hardware (16) haskell (6) help (14) HTML (3) imaging (2) irc (1) it (1) java (2) javascript (13) jobs (1) Linux (19) lua (1) Mac (4) malware (1) math (6) msp (1) network (13) perl (2) php (3) plugin (2) powershell (8) privacy (2) programming (24) python (10) radio (2) regex (3) repair (2) security (16) sound (2) speakers (2) ssh (1) story (5) Techs from the Crypt (5) telnet (1) tools (13) troubleshooting (11) tutorial (9) Ubuntu (4) Unix (2) virtualization (2) web design (6) Windows (16) world of warcraft (1) wow (1) wx (1)