Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ApiRequester.simpleRequest() sets unsafe headers causing Chrome to report "Refused to set unsafe header" #61

Open
borutjures opened this issue Aug 21, 2015 · 7 comments
Open

ApiRequester.simpleRequest() sets unsafe headers causing Chrome to report "Refused to set unsafe header" #61

borutjures opened this issue Aug 21, 2015 · 7 comments

Comments

@borutjures
Copy link

I'm using Rpc package and it uses http.BrowserClient to send API requests to the server.

However on each POST request, Chrome reports two errors saying:

Refused to set unsafe header "user-agent"
Refused to set unsafe header "content-length"

These two headers are not allowed to be set in a browser as per http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method.

It would be great if Rpc requests from the client skipped setting the headers that are not allowed by the browsers.
@tristancaron tristancaron mentioned this issue Sep 11, 2015
Closed
@wibling
Copy link
Contributor

wibling commented Sep 17, 2015

As Tristan mentioned you can work around this for the moment by wrapping the client and have the wrapper remove the two headers before sending the request.

@wibling wibling closed this as completed Sep 17, 2015
@wibling
Copy link
Contributor

wibling commented Sep 17, 2015

Didn't mean to close the issue.

@wibling wibling reopened this Sep 17, 2015
@Sgoettschkes
Copy link

I am trying to work around this issue. I have a Client which extends the http.BrowserClient and I am trying to unset the headers:

  Future send(var request) {
    request.headers['authorization'] = 'Bearer ${this.key}';
    request.headers['Cookie'] = null;
    request.headers['user-agent'] = null;
    request.headers['content-length'] = null;

    return super.send(request);
  }

The Authorization header gets set correctly but the other three are not overwritten. I am not sure what I'm doing wrong?

@mkustermann
Copy link
Contributor

mkustermann commented Nov 11, 2016
edited
Loading

@Sgoettschkes The issue might be that the entry is still in the map, since setting the value to null doesn't remove the entry from the map:

void main() {
  print({'key' : 'value'});
  print({'key' : 'value'}..['key'] = null);
  print({'key' : 'value'}..remove('key'));
}

will print

{key: value}
{key: null}
{}

@Sgoettschkes
Copy link

@mkustermann And you save me again :) Using remove works, thanks!

@supermuka
Copy link

I am using the Stubs client generated with command pub run rpc:generate client -i lib/server/api.dart -o lib/client and the error commented in this issue is occuring:

image

Is there a workaround?

@mkustermann
Copy link
Contributor

The workaround is is basically described above: Wrap the underyling browser-based http client and remove the 2 headers before sending it further.

For background knowledge: The generated api client libraries try to supply as much information to the underlying http.Client as they can, which includes the user-agent and the content-length headers (which are very useful for some http clients). Though in the browser case the http client is not allowed to override these headers, because the browser sets them itself.

@jakobr-google I think the easiest solution would be to allow the generated client libs to accept a boolean whether to set these headers, or have a wrapping-http-client for people to use. Would you be interested in looking into this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Sgoettschkes @mkustermann @borutjures @supermuka @wibling